7. Network Visualization
Network visualization is one of the most powerful function of NP-View and NP-Live. After the user creates a workspace and imports configuration files and supporting meta data, the visualization function process the information into a usable network diagram.
The Home View (also known as Birdseye) shows the user a high level overview of the primary devices within a workspace (Firewalls, Routers and Switches). The home view is the starting point for all workspaces.
From the home view, the user can:
- Select a single device (left click) to view details on the information panel.
- Right click on a single device to drill down to the single device topology view.
- Select multiple devices (shift and click or shift and drag to select) and create a custom zone, custom view or add to an existing zone.
A custom zone is a visual representation of devices that work together and have an assigned criticality. Custom views are used to organize devices and analyze the paths between the devices. Path analysis is only available from within a custom view.
Topology Network Map
From the topology view, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location. Device location will be autosaved.
Devices can be assigned a name (e.g., grey text tag), a category (colored text tag) and criticality (colored ring).
If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).
If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).
Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection. Once selected, the devices can be assigned to a common category or criticality. Alternatively, the devices can be assigned to a of zone (yellow grouping) by selecting the “Create new zone from selection” link . Once created, the zone can be named, categorized and assigned a criticality. Zones can be edited to add and remove devices, color coded and deleted.
Additional topology features include expand / collapse a node, auto arrange peers in a circle, auto define all zones and pin / unpin a specific node.
Right clicking on a device will provide options available to that device which can include running analyses and formatting.
When selecting a device, the device attributes will be displayed on the left device information menu.
Unmapped hosts (nodes) indicate IP addresses that could not be connected to a subnet in the topology based on IP and netmask relationship.
Tip: When importing a large number of devices, the topology map may initially display with overlapping devices. By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange. Also, for very large topologies (over 200 devices), the router, firewall and switch symbols will change to circles to make the map easier to read when zoomed out.
Firewall Device Information
For Firewalls, Routers and Switches, the panel to the left will be displayed with the appropriate label in the blue jelly bean. The device type is define by heuristics. If the device is misclassified, clicking on the blue jelly bean allows the user to reclassify the device as a firewall, router or switch.
The user can rename the device, assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer.
A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.
The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection.
Risks and Warnings shows the active risks, warnings and their criticality for the selected device.
Access Rules shows the rule table for the selected device with the ability to compare two sets of rules and display the differences.
Object groups shows the object groups for the selected device.
A summary of the number of routes and a table of the interfaces is also displayed. Administrators and Workspace Admin’s can delete the device from the workspace.
Network & Gateway Information
For networks and gateways, the panel to the left will be displayed. The user can rename the device, assign a category and a device criticality.
Additional information includes being able to review IP address of the connected hosts.
Display inbound connectivity / outbound paths as well as displaying traces and stepping stone analysis. When selecting Inbound or Outbound, all paths are highlighted in gray, selecting a specific protocol will highlight the path in orange.
Traces can be loaded from PCAP files, which are network data captures recorded by tools such as Wireshark or TCPDump. Stepping stone analysis displays the number of hops between the selected system and its nearest neighbors. (See below)
The user can also search the config file for the device.
And for hosts, the following is displayed
The user can rename the device, assign a category and a device criticality.
Display inbound / outbound connectivity paths as well as displaying traces and stepping stone analysis. Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)
Display the services loaded from netstat files.
Display vulnerabilities loaded from Nmap, Nexpose, Nessus, and Qualys files.
The user can also search the config file for the device.
Clicking on the arrow (>) in the above will expand the inbound and outbound connections. Clicking on any service or IP will highlight the path on the topology map. Source objects are designated by red circles (Src) and destination objects are highlighted by blue circles (Dest).
Additional path information is shown including the rule associated with the path. Clicking on the blue text will invoke the rule table and associated information. The user can also add a comment if required.
Stepping Stone Analysis
Clicking on the stepping stone button will invoke the stepping stone analysis. The stepping stone analysis depicts the number of hops away from the target device other devices are.
Several features are available on the main menu accessible through the tree horizontal bars on the top to the left of the search bar.
- Manage Zones – provides the ability to manage user created zones. The user can remove nodes from zones, assign a criticality or category to the nodes or delete one or more zones. Additionally, inbound and outbound connectivity can be analyzed when in a custom view. If no zones have been created, the user can select the “Auto Generate Zones” function to automatically create assessment zones based on the connections in the workspace. Zones will be automatically named and color coded based on asset keywords. Once created, zones can be manually reclassified or deleted by clicking inside the zone space and selecting the appropriate option from the menu. If some devices are not properly included in the zone, the devices can be selected and manually tagged. Once automatic zones are created, the function is disabled until all zones are deleted.
- Manage Views – provides the ability to manage user created custom views. To create a custom view, select the devices from the home view to include in the custom view (shift + drag). Right click on one of the selected devices and select “Create View from Selection”. Input a name and select save. At tis time, custom views are limited to 15 primary devices (firewall, router and switches). The view will be created in the background allowing continued use of the home view. The custom view can be selected from the manage views panel to view.To edit a custom view, select the view from the Manage Views panel. Add / Remove devices from the view and click save view or delete the view with the trash can.
- Export map – exports the topology map to PDF of Visio for record retention.