>
>

Network Visualization

Updated
June 6, 2024

Network visualization is the most powerful feature of NP-View.  Create a workspace, import configuration files and supporting meta data, and NP-View’s visualization function will process the information into a usable network diagram.

Home View

The Home View shows the user a high level overview of the primary devices within a workspace (Firewalls, Routers and Switches).  The home view is the starting point for all workspaces. Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection.

From the home view, the user can:

  1. Select a single device (left click) to view details on the information panel.
  2. Select multiple devices and create zones. See more info on zone creation.
  3. Select one or more devices and create a view. See more info on view creation.

When objects are moved on the topology map, the ‘Save Topology’ button will become active.  Multiple objects can be moved prior to saving the topology.

If the user attempts to switch views before saving, a notification will be presented as follows:

The user can either cancel the operation and then select ‘Save Topology’ or proceed to the selected view without saving.  Selecting OK can also be used as an undo function.

Topology Network Map

From the topology view, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location. Device location can be saved with the “Save Topology” button.

Devices can be assigned a category (colored text tag) and criticality (colored ring).

If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).

If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).

Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection.  The Ctrl key can be used to select / deselect individual devices. Once selected, the devices can be assigned to a common category or criticality.  Alternatively, the devices can be assigned to a of zone. See more info on zone creation.

Unmapped hosts and networks indicate IP addresses that are external to the topology and could not be connected to primary networks. For a given networking device (e.g., a firewall), primary networks constitute the IP ranges defined by its interfaces. In other words, all the networks a device faces are called primary. Nonetheless, the device’s ruleset can refer to arbitrary IP spaces, not necessarily those within primary ranges. Consequently, NP-View identifies those external/unknown IP spaces as hosts, networks, or ranges, as defined in the config, and places them behind the Unmapped gateway.

Additional topology features include expand / collapse a node, auto arrange peers in a circle and pin / unpin a specific node. These features are available when clicking on a node and using the kebab menu on the info panel.

Tip: When importing a devices, the topology map attempts to place each node in an unused slot but may overlap nodes and paths.  By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange.  For topologies with over 100 nodes, the hosts will automatically be collapsed to make the map easier to read. Each collapsed network can be individually expanded or the entire map can be expanded but for very large workspaces, this may take some time to expand.

Firewall Device Information

For Firewalls, Routers and Switches, when selecting a device, the device attributes will be displayed on the left device information menu. The device panel will be displayed with the appropriate label. The device type is defined by heuristics.  If the device is misclassified, clicking on the drop down allows the user to reclassify the device as a firewall, router or switch.

The user can also assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer. Configuration files must have the same name for the diff viewer to identify and compare files.

A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.

The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection. This is only available from within a custom view.

Risks and Warnings shows the active risks, warnings and the criticality for the selected device.

Access Rules shows the rules for the selected device with the ability to compare two sets of rules and display the differences.

Object groups shows the object groups for the selected device.

A summary of the number of routes and a table of the interfaces are also displayed. Administrators and Workspace Admin’s can delete devices from the workspace.

Host Information

For hosts, the following is displayed:

Users can assign a category and a criticality.

Display inbound / outbound connectivity paths as well as displaying stepping stone analysis.  Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)

Display the services loaded from netstat files.

Display vulnerabilities loaded from Nmap, Nexpose, and Nessus files.

Custom Views

Custom views are used to organize devices and analyze the paths between the devices. Path analysis and stepping stone analysis is only available from within a custom view. Additional information on custom view creation can be found here.

Network & Gateway Information

For networks and gateways, the panel to the left will be displayed. Users can assign a category and a criticality.

Additional information includes being able to review the IP address of the connected hosts.

The user can also search the config file for the device.

Display inbound connectivity / outbound paths as well as displaying stepping stone analysis. When selecting Inbound or Outbound, all paths are highlighted in gray, selecting a specific protocol will highlight the path in orange.

Connectivity Paths

When displaying the device menu for a specific device, clicking on the arrow (>) will expand the inbound and outbound connections.  Clicking on any service or IP will highlight the path on the topology map.  Source objects are designated by blue circles (Src) and destination objects are highlighted by red circles (Dest).

Additional path information is shown including the rule associated with the path.  Clicking on the blue text will invoke the access rules with the associated information.  The user can also add a comment if required.

Stepping Stone Analysis

Stepping Stone Analysis is available on custom views for Networks and Endpoints. Click any node that is not a Firewall/ Router/ Switch and open the info panel.

Find the Accordion section named "Stepping Stone Analysis" and open to reveal options.

Run as Source or Run as Destination.

A user has clicked a node, opened its info panel, and selected Run as Destination for the Host in the bottom center of the map.

The colors reflect how many hops a way another node is from communicating with the analyzed node. The pie slices on the analyzed node show the distribution of nodes per number of hops.

Up close on a node with stepping stone analysis run

Path Block Analysis – Troubleshooting Path Blocking Issues

The above sections describe the different types of Path Analysis available in NP-View that will give information about connections in the Topology. But what if we want to confirm that a connection is blocked? For this NP-View offers Path Block Analysis.

Path Block Analysis allows a user to take two hosts/ two networks/ or one host and one network and to troubleshoot if the connection between is blocked, and if so why.

Open a Topology View that is not the Home View and select two nodes you wish to Troubleshoot Path Blocks on. When the two nodes are selected, right click on one of them and select “Troubleshoot Path Blocking Issue”

A dialog will slide out of the right side of the screen. The Source and Destination of the selected nodes will be entered and can be swapped. Protocol and Port are pre-populated and cannot be changed. Path Block analysis always searches using IP/any. Clicking Start will begin the analysis.

Path Block Found

When a Path Block is found the dialog will have a red notification, and the Blocked Paths window on the left side of the screen will be populated with the block information, including the reason why traffic is blocked. This information is not stored and will be erased as soon as ESC is pressed.

Path Block Not Found

When a Path Block is not found the dialog will present a green notification. The Blocked Paths window on the left side of the screen will be populated with a message that no blocks were found.