Presentation is loading. Please wait.

Presentation is loading. Please wait.

GIS Application in Firewall Security Log Visualization Juliana Lo.

Published byMarilyn Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "GIS Application in Firewall Security Log Visualization Juliana Lo."— Presentation transcript:

1 GIS Application in Firewall Security Log Visualization Juliana Lo

2 Presentation Outline  What is a firewall  Problem definition  Project goal, objectives, constraints  Framework and system components  Solution  Conclusions

3 Firewall Definition A firewall is a hardware or software designed to permit or deny network traffic based on a set of rules Protect networks from unauthorized access.

4 Good and Bad Firewall Traffic

5 Bad Firewall Traffic Jun 1 22:01:35 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:54886 to 2.3.4.5:406, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:03) Jun 1 22:01:57 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:55181 to 2.3.4.5:1358, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:25) Jun 1 22:02:10 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:55339 to 2.3.4.5:1515, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:38) Jun 2 11:24:16 fire00 sav00: NetScreen device_id=sav00 [Root]system-critical-00436 Log File

6 Firewall Security Log File Jun 1 22:01:35 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:54886 to 2.3.4.5:406, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:03) Jun 1 22:01:57 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:55181 to 2.3.4.5:1358, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:25) Jun 1 22:02:10 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:55339 to 2.3.4.5:1515, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:38) Jun 2 11:24:16 fire00 sav00: NetScreen device_id=sav00 [Root]system-critical-00436 Important for  System monitoring, compliance, forensics Challenges  Too much information to go through  Can’t relate IP address to origin of traffic

7 Log File Transformation Jun 1 22:01:35 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:54886 to 2.3.4.5:406, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:03) Jun 1 22:01:57 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:55181 to 2.3.4.5:1358, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2004-06-01 22:09:25) Desired Outcome

8 Project Goal, Objectives, Constraints Goal  Develop a geolocation map application to visualize firewall traffic in near-real time Constraints  Projectduration - weeks not months  Cost – low budget Objectives  Geolocate IP address into locations  Near real-time events

9 Development Framework  Data Collection  Parsing Engine  Geolocation Service  Database Service  Visualization Server to capture firewall traffic Parser to extract IP addresses and other information Convert IPv4 address into location Append features and search for records Application to visualize IP locations

10 System Components  Firewall  IDE  Database  Map application Source of data Juniper Netscreen firewall Windows 7 development server for data collection, parsing, geolocation, and data updates CartoDB’s PostgreSQL database Javascript, HTML, CartoDB API, Leaflet, jQuery

11 Solution - Data Automation Step 1 - Firewall Configure system logging messages Syslog server Bad trafficEnable external data monitor

12 Solution - Data Automation Step 2 – Data Collection Install Syslog Watcher software on Windows machine to collect firewall traffic

13 Solution - Data Automation Step 3 – Parser Engine Simple data extraction program Python program extracts time stamp, firewall host, message level, error, from host, and number of occurrences

14 Solution - Data Automation Step 4 – Geolocation Service Program to look up location from IP address Uses MaxMind GeoLite City Database Python API import pygeoip gi = pygeoip.GeoIP(‘C:\\geocode\\GeoLiteCity.dat‘, pygeoip.MEMORY_CACHE) from_ip = ‘123.184.114.169’ rec = gi.record_by_addr(from_ip) city =rec[‘city’] country = rec[‘country_name’] latitude = rec[‘latitude’] longitude = rec[‘longitude’] print city, country, latitude, longitude >>> ‘Shenyang’,’China’,41.7922,123,4328

15 Solution - Data Automation Step 5 – Database Update Program to append new features to CartoDB’s PostGRES database Python API from cartodb import CartoDBAPIKey, CartoDBException API_KEY =‘<api_key’' DOMAIN = ‘ ' TABLE = ‘table_name’ COLUMNS = 'the_geom,alert,city,code,country,err,event_time,from_ip,latitude,longitude, occur’ cl = CartoDBAPIKey(API_KEY, DOMAIN) vals = “CDB_LatLng(%s,%s),'%s','%s',%s,'%s','%s','%s','%s','%s','%s','%s','%s',%s,%s sql = 'INSERT into %s (%s) VALUES (%s);' % (TABLE,COLUMNS,vals) cl.sql(sql)

16 Solution - Data Automation Step 5 – Database Table View

17 Solution - Data Automation Step 6 – Automated Updates Use Window’s Task Scheduler to automate the programs Auto-start every 5 minutes

18 Solution - Application Development Language: JavaScript Libraries: CartoDB API, Leaflet, jQuery Editor: NotePad+ Debugging tool: Google Chrome JavaScript Console

19 Results - Hits from Last 24 Hours Layers/Symbols Selectors Map Window Dashboard

20 Results – Select a date

21 Results – Clickable Features Click on a feature in the map to show details Top hosts or locations

22 Results – Application Features Pie charts show the distribution of hits by error types and by severity levels

23 Results – Different Symbols Number of occurrencesSeverity Levels Single symbol

24 Results – Animated temporal map

25 Results – Country breakdowns, last 7 days

26 Results – Top 5 hits from last 7 days

27 Conclusions Web-based GIS map application Live dynamic data Leverage cloud infrastructure Low-cost solution

28 Issues and Improvements Geolocation result accuracy Zero accuracyCountry centroid

29 Issues and Improvements IP Evasion Issue  Web proxies, anonymizer software such as Tor Improvements  Add more filters  Handle multiple firewalls

30 Questions

31 Juliana Lo Pacific Disaster Center Email: jlo@pdc.org

Download ppt "GIS Application in Firewall Security Log Visualization Juliana Lo."

Similar presentations

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
IWay Service Manager 6.1 Product Update Scott Hathaway iWay Software Copyright 2010, Information Builders. Slide 1.

IWay Service Manager 6.1 Product Update Scott Hathaway iWay Software Copyright 2010, Information Builders. Slide 1.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Supervisor: Amichai Shulman Students: Vitaly Timofeev Eyal Shemesh.

Supervisor: Amichai Shulman Students: Vitaly Timofeev Eyal Shemesh.
MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.

MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.
CS 337 Final Project Presentation Asset Management and Tracking Developers: –Jimmy Hoo –Edwin Panameno –Manuel Segura –Sheng-Tian Lin Customers –Alexandre.

CS 337 Final Project Presentation Asset Management and Tracking Developers: –Jimmy Hoo –Edwin Panameno –Manuel Segura –Sheng-Tian Lin Customers –Alexandre.
GIS APPLICATION IN FIREWALL LOG VISUALIZATION Penn State MGIS 596A Peer Review Presenter: Juliana Lo Advisor: Dr. Michael Thomas Date: December 17, 2014.

GIS APPLICATION IN FIREWALL LOG VISUALIZATION Penn State MGIS 596A Peer Review Presenter: Juliana Lo Advisor: Dr. Michael Thomas Date: December 17, 2014.
MANAGED SERVICES OPERATIONS. Increasing IP Infrastructure Complexity Requires Greater Need for Services Data Center B2B Links Branch Offices Distribution.

MANAGED SERVICES OPERATIONS. Increasing IP Infrastructure Complexity Requires Greater Need for Services Data Center B2B Links Branch Offices Distribution.
Security Guidelines and Management

Security Guidelines and Management
Platform as a Service (PaaS)

Platform as a Service (PaaS)
PC Manager Meeting January 25, 2006. Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.

PC Manager Meeting January 25, Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

Similar presentations

Ads by Google