NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security
Meeting: NANOG36
Date / Time: 2006-02-14 9:30am - 10:00am
Room: Regency Ballroom
Bill Yurcik, NCSA

Bill Yurcik is currently Manager, Security R&D, and Senior Systems Security Engineer at NCSA. Prior to this he was Head of Security Operations at NCSA, so he has both a theoretical and practical background in computer network security. Prior to joining NCSA, Bill had 12 years of professional experience as a Network Engineer for large networks (Naval Research Laboratory, NASA, Verizon, and MITRE). He is a graduate of Johns Hopkins University (MS Electrical Engineering 1990, MS Computer Science 1987), the University of Maryland (BS Electrical Engineering 1984), and is Ph.D. ABD from the University of Pittsburgh (1994-99).
Abstract: We present two NetFlows visualization tools, (1) NVisionIP and (2) VisFlowConnect-IP. Both of these tools have been developed based on system administrator requirements, their design peer-reviewed in security research forums, and usability testing is in process. These tools both present large volume complex data transparently to system administrators in simple intuitive visual interfaces that support human cognitive processes.

NVisionIP visually represents the state of all IP addresses on large networks on a single screen window (we use a Class B address space as the default) with capabilities to filter and drill down to subnets and individual machines for details-on-demand. VisFlowConnect-IP visually represents flows between internal network IP hosts and the Internet, showing who is connecting with whom, with capabilities to filter and drill down to subnets and individual machines for details-on-demand. NVisionIP and VisFlowConnect-IP can be used individually or in unison for correlating events. This work is distinguished from others in that these are the first Internet security visualization tools to be freely available on the Internet and deployed in large production environments.
Files: pdfBill Yurcik Presentation(PDF)
youtubeNVisionIP and VisFlowConnect-IP
