7. Network Visualization

You are here:
< All Topics

Network visualization is one of the most powerful function of NP-View and NP-Live.  After the user creates a workspace and imports configuration files and supporting meta data, the visualization function process the information into a usable network diagram. From the network diagram, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location.

Topology Network Map

Devices can be assigned a name (e.g., grey text tag), a category (colored text tag) and criticality (colored ring).

If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).

If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).

Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection.  Once selected, the devices can be assigned to a common category or criticality.  Alternatively, the devices can be assigned to a of zone (yellow grouping) by selecting the “Create new zone from selection” link .  Once created, the zone can be named, categorized and assigned a criticality. Zones can be edited to add and remove devices, color coded and deleted.

Additional topology features include expand / collapse a node, auto arrange peers in a circle, auto define all zones and pin / unpin a specific node.

Right clicking on a device will provide options available to that device which can include running analyses and formatting.

When selecting a device, the device attributes will be displayed on the left device information menu.

Unmapped hosts (nodes) indicate IP addresses that could not be connected to a subnet in the topology based on IP and netmask relationship.

Tip: When importing a large number of devices, the topology map may initially display with overlapping devices.  By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange.  Also, for very large topologies (over 200 devices), the router, firewall and switch symbols will change to circles to make the map easier to read when zoomed out.

Firewall Device Information

For Firewalls, Routers and Switches, the panel to the left will be displayed with the appropriate label in the blue jelly bean. The device type is define by heuristics.   If the device is misclassified, clicking on the blue jelly bean allows the user to reclassify the device as a firewall, router or switch.

The user can rename the device, assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer.

A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.

The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection.

Risks and Warnings shows the active risks, warnings and their criticality for the selected device.

Access Rules shows the rule table for the selected device with the ability to compare two sets of rules and display the differences.

Object groups shows the object groups for the selected device.

A summary of the number of routes and a table of the interfaces is also displayed. Administrators and Workspace Admin’s can delete the device from the workspace.

Network & Gateway Information

For networks and gateways, the panel to the left will be displayed:

The user can rename the device, assign a category and a device criticality.

Additional information includes being able to review IP address of the connected hosts.

Display inbound connectivity / outbound paths as well as displaying traces and stepping stone analysis. (See below)

Traces can be loaded from PCAP files, which are network data captures recorded by tools such as Wireshark or TCPDump.

Stepping stone analysis displays the number of hops between the selected system and its nearest neighbors. (See below)

The user can also search the config file for the device.

Host Information

And for hosts, the following is displayed

The user can rename the device, assign a category and a device criticality.

Display inbound / outbound connectivity paths as well as displaying traces and stepping stone analysis.  Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)

Display the services loaded from netstat files.

Display vulnerabilities loaded from Nmap, Nexpose, Nessus, and Qualys files.

The user can also search the config file for the device.

Connectivity Information

Clicking on the arrow (>) in the above will expand the inbound and outbound connections.  Clicking on any service or IP will highlight the path on the topology map.  Source objects are designated by red  circles (out) and destination objects are highlighted by blue circles (in).

Additional path information is shown including the rule associated with the path.  Clicking on the blue text will invoke the rule table and associated information.  The user can also add a comment if required.

Stepping Stone Analysis

Clicking on the stepping stone button will invoke the stepping stone analysis.  The stepping stone analysis depicts the number of hops away from the target device other devices are.

Main Menu Features

Several topology features are presented on the main menu available in the top-left corner.

  • Auto group – automatically creates assessment zones based on the connections in the workspace. Zones will be automatically named and color coded based on asset keywords. Once auto grouped, zones can be manually reclassified or deleted by clicking inside the zone space and selecting the appropriate option from the left menu bar. If some devices are not properly included in the zone, the devices can be selected and manually added to a zone. Once a zone is deleted, the auto group function will again be enabled to recreate the zones if required.
    Keyword, criticality and colors
    Keyword Criticality Color Best Practices NERC-CIP PCI
    bcc HIGH light red X
    datacenter* HIGH light red X X X
    dist HIGH light red X
    dmz* HIGH light red X
    *ems* HIGH light red X
    ^esp HIGH light red X
    pcc HIGH light red X
    scada HIGH light red X
    trust HIGH light red X
    backoffice MEDIUM light orange X X
    bu* MEDIUM light orange X
    corp MEDIUM light orange X X X
    office LOW white X X
    internet UNTRUSTED light gray X X X
    remote UNTRUSTED light gray X X X

    Note that the default zone color is light yellow for zones that do not match keywords and the criticality is not defined. The user can assign a criticality and color of their choice.

    • Custom Views – Two views are automatically created for each workspace.  Default shows all of the devices in the workspace and the birds eye view shows only the firewalls in the workspace.  Additional views displaying selected devices can be created by the user to simplify the viewing of complex topologies.
    • Highlight paths – Allows the user to view device / open port combinations on the topology map.
    • Export map – exports the topology map to PDF of Visio for record retention.
Table of Contents