Since version 4.75 of nmap, the user is able to draw a map of the network based on the underlying scan data (refer to the changelog section at [NMAP]). This is done through Zenmap, the graphical user interface for the nmap security scanner. The Zenmap GUI is not meant to replace the nmap command line tool but to make it more useful. According to Fyodor, the founder of nmap, some of its advantages are interactive and graphical results viewing, comparison (among scan results), convenience, repeatability, and discoverability [Zenmap]. The topology view used in Zenmap is an adaption of the RadialNet program written by Joao Medeiros [RN07, JM08]. This type of graph corresponds to the animated radial layouts in Tamara Mutzner’s node-link graph portfolio [TM06] or to the radial node-link diagram shown in [JH10]. Starting from the node at the center, it displays the nodes in a network hierarchy based on the path to that host. Each circle represents one hop-count (traceroute).
Figure 17: RadialNet/Zenmap network topology view. Starting from the scanning machine in the center, it shows the network distance to each destination host. Source [JM08]
Figure 17 displays a RadialNet/Zenmap network topology view of a case study on 50 Brazilian universities [JM08]. Starting from the scanning host at the center it shows how the 238 nodes in total are connected. Each regular host is represented as a little circle. The color and size of a host depend on the number of open ports on that host. The more open ports, the bigger the circle. A white circle means that the host was not scanned but is along
number of open ports is between three and six, and red stands for hosts that show more than six open ports. Network devices are shown as rectangles. Connections are shown in blue, whereas alternate paths between two nodes are drawn in orange. The additional icons next to some hosts indicate their type, i.e. a router, a switch, a wireless access point, a firewall, or a host that has some ports filtered [Zenmap]. The majority of the icons represent hosts with filtered ports (the icons in yellow). The blue icons identify four wireless access points and one network switch.
Hosts with more than six open ports can be identified quickly by looking at the network topology. However, these services do not necessarily have to be vulnerable against known attacks. This is where the vulnerability scanning results come into play. Joao Medeiros proposed this type of integration as a future work [JM08]. In a personal email conversation he mentioned that RadialNet is still under development but that new functions are not released very often because he is currently working on other projects. The radial tree layout is a good choice when displaying a large number of nodes due to its efficient utilization of space.
!
3.4 Conclusion!
This chapter introduces the six-stage information visualization process. It is important that the goal of the visual representation and its message to the audience are defined prior to data analysis and data processing. Raw data is aggregated with additional information and context and transformed into a graphical representation. This is where the careful selection of graphical elements and properties described in chapter 2 come into play. The visual representation can now be viewed and adjusted along the rules defined in chapter 2.3. It is very common that the first attempt does not provide the desired result and requires a number of iterations [RM08]. If the visual is satisfactory, it must be interpreted and validated against the desired message that has been defined at stage one. It is then up to the reader to decide whether or not the intended message is delivered and understood.
In addition to the information visualization process, this chapter introduces examples of visualizations that can be used in vulnerability management. Many of the basic graphs provided in the first part of this chapter are commonly seen in information security dashboards because of their level of aggregation. With few exceptions, upper management is not interested in the details of a specific vulnerability but rather in the number of critical issues and by when they will be solved (risk management). This is in line with Ben Shneiderman’s information seeking mantra [BS96]: “Overview first, zoom and filter, and then details on demand.” The visualizations presented in the second part of this chapter allow showing vulnerabilities in their context by providing additional information. This can be a treemap highlighting vulnerabilities and the hosts or services where they apply. Another example is using a node-link graph to represent a given network infrastructure.
A lot of research has been done in the area of attack trees and how they can be used to model the security of an entire network infrastructure. The latest developments of NetSPA/NAVIGATOR or TVA are able to combine firewall and network device configuration information with vulnerability scanning results [MC10, SJ10]. Besides a visual representation, the user is given a list of suggested countermeasures that are seen as most effective. The validation of security scenarios throughout the entire network is possible by performing a so- called “what-if analysis”.
The selection of visualizations provided here was driven by their applicability to vulnerability management. Along with the information visualization process they serve as the foundation to chapter 5.