Mr. Buddha, Mark Curphey, mentioned dashboards recently, which got me all giddy at the link he provided to a site about information dashboards. I love me some dashboards. I love them enough that I have a section of my menu on the right devoted to security dashboards. Dashboards are used to distill relevant information down to a, hopefully, more visual representation of your reality. Not only that, but have you ever had someone in the management chain above you go gaa-gaa over the pretty pictures and lights and trends on your desk, even when they have no friggen clue what it all means? People seem to react positively to seeing things like this on a network or security admin’s desk. At a previous job, I didn’t get too many people walking by wondering what I had up my sleeve for that day, but whenever I turned on a dashboard, I had plenty of people from various job roles wander over and ask what all the lights and colors were for and how “cool” it was. In my mind, it has become part of selling oneself as a technical and security expert.
Now, I want dashbaords at home, someday. I don’t know if I will ever become proficient enough to roll my own, but I have plenty of spare systems and monitors around to utilize their extra cycles to display neat metrics and dashboards. Due to my current refusal to “settle,” I don’t have big furniture in my apartment like a desk or two, so the whole dashboard setup needs to wait a bit more.
But I thought it worthwhile to write down, for myself, a bit of a wishlist on dashboards I’d like to see on my desk over time. Note that this is at home, although many of these things should be able to scale up to enterprise use. Suggestions for tools are welcome.
- visual traffic monitoring – like etherape or eve or plenty other tools that give a pretty view of what and where traffic is on the network.
- less visual traffic monitoring – like a tcpdump scrolling by on a monitor; only tailored down to watch only things really important (and not my workstation streaming web radio…)
- traffic summary – a summary of traffic levels to web, mail, VPN, SSH servers and so on; even as pared down as simple daily log file sizing.
- system monitoring – on a basic level, what is up and what is currently down. On a deeper level, system health such as CPU, RAM, and disk usage, running processes, and so on.
- service monitoring – on an even deeper level, any time traffic to something comes in it can log, throw a visual cue, or send a quick message, for instance a login attempt on SSH or VPN.
- arp watching – roll your own basic NAC rogue detection on a network by monitoring arp requests in a DHCP network, using arpwatch or arpalert (I think those are the names).
- security monitoring – tripwire-like integrity detection on important systems, account creation events
- IDS – things like Snort alerts, although these aren’t as useful on a dashboard, per se.
- threat/vulnerability/external – It is nice to monitor one’s own realms, but none of us are islands. We need to know about changing threats, new vulnerabilities, or maybe some trend or new attack vector affecting the security health of the Internet as a whole. There are plenty of these sorts of dashboards available, since they lend themselves well to the web.
- wireless – kismet just to keep an eye open for new clients and the wireless network in the area
- wireless spectrum analyzer – run the pretty Wi-Spy tool in a corner to monitor the health of the wireless frequency range.
Ok, so all of this is pretty personal to me, because I am a firm believer in keeping one’s fingers not just in the trenches of the back room, but making sure they are constantly feeling for a pulse, temperature, clamminess, etc. So much about security and IT in general has a fundamental base of monitoring for changes and abnormalities. It’s the part of me that is a control/information freak which lends itself well to the field. And yes, I like having a few non-screensaver’d monitors around me showing me what is going on at all times.