• 20+ Sites (13 Campuses)
• 5500 IP Devices
• 25,000 Full-time/Part-time & Online
Students
• 1,800 Employees
About
The Nova Scotia Community College
Slide 3
Slide 3 text
About
My Job
Slide 4
Slide 4 text
Warm
Warm
Warm
Cold Cold
Cold
Session Data and PCAP
Metadata
Event and alert Data
Awareness
About
This presentation
Slide 5
Slide 5 text
Zabbix
A very brief introduction
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
Data Sources
Where the raw information comes from and how
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
• Easy to collect and
process(SIAFI)
• Clearly defned and concise
• Results should be
consistent and verifable
• Cheap (resource wise)
• Preferably not proprietary
Rules for data sources
The rules I try to follow anyway
Slide 16
Slide 16 text
Putting it all together.
Presentation
status.nscc.ca
Slide 17
Slide 17 text
Links to sections within this tab
Section Content (a graph or stub or both)
Section note
Section Title
…
FLOW IDS
NESS
US
URL
ZABB
IX
1
2
3
4
5
SH
Slide 18
Slide 18 text
Control #1
Control #2
Control #3
Section content
A graph created with RRDTool that shows Internet Trafc
FLOW
Slide 19
Slide 19 text
Section content
A graph created with Zabbix that shows flesystem utilization
ZABB
IX
Slide 20
Slide 20 text
Section content
A graph created with JpGraph that shows IDS alert data
IDS
IP2C
Slide 21
Slide 21 text
Section content
A graph created with Afterglow that shows IDS alert data
IDS
Slide 22
Slide 22 text
Section content
A Stub created with a MySQL query that shows blocked Email
Slide 23
Slide 23 text
A Section
A graph and stub (fow-tools) combined that show Blackhole activity
FLOW
• Be consistent and
conscious of fow
• Be clear. Use helpers
• Be mindful of loading time
• Don’t “dead end” the user
• Think ahead
Rules for data presentation
Ok, maybe just suggestions
Slide 27
Slide 27 text
Tab
C O M P L I A N C E : Contains compliance related information
Slide 28
Slide 28 text
WWW
NESS
US
ZABB
IX
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
Nessus HTML output
• BIG! 300K to 1.5M in size; redundant
• Difcult to navigate
• Single option for host representation
Slide 31
Slide 31 text
Modifed HTML output
• Small! Under 10K
• Just report relevant info
• Sort option on column headings
• Hostname and IP
Slide 32
Slide 32 text
Tab
D E V I C E S : Contains maps created by Zabbix
Slide 33
Slide 33 text
ZABB
IX
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
Tab
E M A I L : Contains SPAM summary data and Exchange environment information
Slide 36
Slide 36 text
ZABB
IX
Slide 37
Slide 37 text
IP2C
Slide 38
Slide 38 text
This link graph shows a typical day of spam:
Slide 39
Slide 39 text
This link graph shows a particularly heavy day of
spam:
Slide 40
Slide 40 text
FLOW
SH
Slide 41
Slide 41 text
Tab
N E T W O R K : Contains high level network information
Slide 42
Slide 42 text
FLOW
Slide 43
Slide 43 text
FLOW
Slide 44
Slide 44 text
FLOW
Slide 45
Slide 45 text
FLOW
Slide 46
Slide 46 text
SH
Slide 47
Slide 47 text
Tab
S I T E S : Acts as a loader for sensor content
Slide 48
Slide 48 text
SH
Slide 49
Slide 49 text
SH
Slide 50
Slide 50 text
SH
Slide 51
Slide 51 text
SH
Slide 52
Slide 52 text
SH
Slide 53
Slide 53 text
FLOW
Slide 54
Slide 54 text
FLOW
Slide 55
Slide 55 text
Tab
S T U D E N T V L A N : An example (last one, promise) of grouped content
Slide 56
Slide 56 text
FLOW
Slide 57
Slide 57 text
IDS
SH
Slide 58
Slide 58 text
IP2C
IDS
Slide 59
Slide 59 text
IDS
Slide 60
Slide 60 text
• URELLS
• Visuals with more depth
• New types of visuals:
- Wordmaps (tag clouds)
- Circos
• Hints in link area
The Future?
Where are we going