Network visualization is one of the most powerful function of NP-View. After the user creates a workspace and imports configuration files and supporting meta data, the visualization function process the information into a usable network diagram.
The Home View shows the user a high level overview of the primary devices within a workspace (Firewalls, Routers and Switches). The home view is the starting point for all workspaces. Devices can be connected by a solid or dotted line. A solid line indicates evidence of a direct connection.
From the home view, the user can:
- Select a single device (left click) to view details on the information panel.
- Select multiple devices (CTRL and click or shift and drag to select) and create a custom zone or add to an existing zone. A custom zone is a visual representation of devices that work together and have an assigned criticality.
- Right click on a single device to drill down to the single device view.
Topology Network Map
From the topology view, the user can rearrange the objects on the canvas by selecting and dragging a device to a new location. Device location will be autosaved.
Devices can be assigned a name (e.g., grey text tag), a category (colored text tag) and criticality (colored ring).
If a device has active alerts, the number of alerts is displayed in the top-right corner (red circle).
If a device has user entered comments pertaining to this device, the number of comments is displayed in the top-left corner (blue circle).
Multiple devices can be selected by holding the shift key down (the cursor changes to a + sign) and dragging the mouse to make the selection. The Ctrl key can be used to select / deselect individual devices. Once selected, the devices can be assigned to a common category or criticality. Alternatively, the devices can be assigned to a of zone (yellow grouping) by selecting the “Create new zone from selection” link. Once created, the zone can be named, categorized and assigned a criticality. Zones can be edited to add and remove devices, color coded and deleted. Unmapped hosts (nodes) indicate IP addresses that could not be connected to a subnet in the topology based on IP and netmask relationship.
Additional topology features include expand / collapse a node, auto arrange peers in a circle, auto define all zones and pin / unpin a specific node.
Tip: When importing a large number of devices, the topology map may initially display with overlapping devices. By selecting unpin, moving one device, selecting center and then pin, the map will auto arrange. Also, for very large topologies (over 200 devices), the router, firewall and switch symbols will change to circles to make the map easier to read when zoomed out.
Firewall Device Information
For Firewalls, Routers and Switches, when selecting a device, the device attributes will be displayed on the left device information menu. The device panel will be displayed with the appropriate label. The device type is defined by heuristics. If the device is misclassified, clicking on the drop down allows the user to reclassify the device as a firewall, router or switch.
The user can also rename the device, assign a category and a device criticality. Additional information includes being able to review multiple version of configuration files and compare them with the diff viewer is available.
A risk assessment grade is assigned for each firewall based on the number of open risks and warnings and their associated criticality.
The connectivity matrix shows all of the connections for the selected firewall and the IP rules for each connection.
Risks and Warnings shows the active risks, warnings and the criticality for the selected device.
Access Rules shows the rules for the selected device with the ability to compare two sets of rules and display the differences.
Object groups shows the object groups for the selected device.
A summary of the number of routes and a table of the interfaces are also displayed. Administrators and Workspace Admin’s can delete devices from the workspace.
For hosts, the following is displayed:
The user can rename the device, assign a category and a device criticality.
Display inbound / outbound connectivity paths as well as displaying traces and stepping stone analysis. Inbound and outbound connections are filtered to show the exact match for a given path. In some cases, no inbound or outbound paths will be displayed. (See below)
Display the services loaded from netstat files.
Display vulnerabilities loaded from Nmap, Nexpose, Nessus, and Qualys files.
Several features are available on the main menu accessible through the tree horizontal bars on the top to the left of the search bar.
Manage Zones – provides the ability to create or manage groupings of devices called zones. If no zones have been created, the user can select the “Auto Generate Zones” function to automatically create assessment zones based on the connections in the workspace. Zones will be automatically named and color coded based on asset keywords. Once created, zones can be manually reclassified or deleted by clicking inside the zone space and selecting the appropriate option from the menu. If some devices are not properly included in a zone, the devices can be selected and manually (or right clicked on and added to a zone). Once automatic zones are created, the Auto Generate Zones function is disabled until all zones are deleted.
Note that the default zone color is light yellow for zones that do not match keywords and the criticality is not defined. The user can assign a criticality and color of their choice.
For manual zone creation, the user can select two or more objects from the topology map and the zone panel will display. From the panel, the user can create a zone, name it and assign a criticality. The user can also assign tags and criticalities to the selected devices. For existing zones, the user can add / remove nodes from zones, edit the name or criticality or delete the selected zones. Right clicking on any topology object will allow for the addition or removal of an object from a zone. Any object can be added to one or more zones.
Manage Views – provides the ability to manage user created custom views. To create a custom view, select the devices from the home view to include in the custom view (shift + drag). Right click on one of the selected devices and select “Create View from Selection”. Input a name and select save. At this time, custom views are limited to 15 primary devices (firewall, router and switches). The view will be created in the background allowing continued use of the home view. The custom view can be selected from the manage views panel to view. To rename a view, select the pencil to invoke the name editor. To change the devices in a custom view, select the view from the Manage Views panel. Add / Remove devices from the view and click save view or delete the view with the trash can.
Export map – exports the topology map to PDF of Visio for record retention.
Custom views are used to organize devices and analyze the paths between the devices. Path analysis and stepping stone analysis is only available from within a custom view. To create a custom view, select two or more devices using Shift + drag or Ctrl + Click to select the device. Once selected, right click to present the menu option. Name the view, select “Save” and the view creation will begin as a background task.
Once completed, the topology map will switch to the newly created view with the view details. A dotted line represents a connection that is inferred from the information provided (e.g., a layer 2 connection). Additional configuration data is required to convert inferred to direct connections.
Network & Gateway Information
For networks and gateways, the panel to the left will be displayed. The user can rename the device, assign a category and a device criticality.
Additional information includes being able to review the IP address of the connected hosts.
Display inbound connectivity / outbound paths as well as displaying traces and stepping stone analysis. When selecting Inbound or Outbound, all paths are highlighted in gray, selecting a specific protocol will highlight the path in orange.
The user can also search the config file for the device.
When displaying the device menu for a specific device, clicking on the arrow (>) will expand the inbound and outbound connections. Clicking on any service or IP will highlight the path on the topology map. Source objects are designated by blue circles (Src) and destination objects are highlighted by red circles (Dest).
Additional path information is shown including the rule associated with the path. Clicking on the blue text will invoke the access rules with the associated information. The user can also add a comment if required.
Stepping Stone Analysis
Clicking on the stepping stone button will invoke the stepping stone analysis. The stepping stone analysis depicts the number of hops away from the target device other devices are.
The color reflect the hops. Direct (red), one (orange), two or more (yellow). The pie slices represent the number of each from the device.