When you join a new company, you will be faced with a complex network architecture left over from history. How to quickly sort out the network architecture and transform it according to the principles of zero trust?
This is a comprehensive tool for analyzing and visualizing hybrid network architectures across multiple cloud providers, accounts, and on-premise data centers. This tool leverages Neo4j graph database to provide insights into complex network relationships and configurations.
Reachability Analyzer can help us to discover network paths across multiple AWS Regions.
However, it does not support cross-account and multi-cloud environments.
But we can use its network path to design neo4j relationships.
cartography can help us to consolidates infrastructure assets and the relationships.
However, it does not include network relationships, such as routing tables, ACLs, security groups, etc.
- Network relationship mapping
- Graph-based network analysis
- Support for multiple resources:
- AWS
- VPCs
- Subnets
- Network Interfaces (ENIs)
- Security Groups
- Transit Gateways
- VPC Peering Connections
- Route Tables
- NACL (TODO)
- ELB (TODO)
- Prefix lists (TODO)
- VPN/Direct Connect (TODO)
- Route53 (TODO)
- Fortigate(TODO)
- IP Addresses
- Firewall Policies
- Ipsec tunnels
- Cloudflare(TODO)
- AWS
- Support for multiple resource collect methods:
- AWS
- API
- Boto3 Common authentication
- AWS SSO authentication
- Config Service(TODO)
- API collect
- S3 snapshot collect
- API
- AWS
- Docker and Docker Compose
- AWS credentials (if collecting AWS data)
- Python 3.9+ (if running locally)
- Clone the repository
git clone https://github.com/wanmail/Know-Your-Network.git
- Create
.envfile with Neo4j credentials
NEO4J_USER=neo4j
NEO4J_PASSWORD=your_secure_password
-
Configure your data source in
config.yml, see Configuration Options -
Start the services
docker-compose up -d
-
Access Neo4j browser at http://localhost:7474 to query your network data
-
Start analyzer every time
docker-compose up -d analyzer
- Start analyzer in dev mode(Please uncomment in
docker-compose.ymlfirst)
docker-compose up -d analyzer-dev
- Install dependencies
pip install -r requirements.txt
- Install Neo4j labels
neomodel_install_labels analyzer.models.network analyzer.models.aws {neo4j_url}
-
Configure your data source and neo4j in
config.yml, see Configuration Options -
Run the analyzer
python main.py
# If set debug, API call will save response in `export` directory, and you can load data directly from local instead of pulling it through API.
debug: true
# neo4j url
neo4j: "bolt://neo4j:neo4j@localhost:7687"
# Data source configRefer to examples directory.
MATCH p=()-[r:peering]->() RETURN p limit 25
MATCH (t:TGW) <- [:belong_to] - (a:TGWAttachment) - [:tgw_attach]-(v:VPC) RETURN t,a,v limit 25
Which has a public ip address and security group has a ingress permission to internet address.
MATCH (e:ENI)
WHERE e.public_ip_addr IS NOT NULL AND e.public_ip_addr <> ''
MATCH (e) - [:`with_policy`] - (:SecurityGroup) - [i:ingress] - (c:Cidr)
WHERE NOT ( (c.`start_ip_int`>=167772160 AND c.`start_ip_int` <= 184549375)
OR (c.`start_ip_int`>=2886729728 AND c.`start_ip_int` <= 2887778303)
OR (c.`start_ip_int`>=3232235520 AND c.`start_ip_int` <= 3232301055))
// AND NOT (c.`start_ip_int` = c.`end_ip_int`)
RETURN e limit 25
MATCH (src:ENI) - [:`with_policy`] - (sg:SecurityGroup) - [i:ingress] - (c:Cidr)
WHERE i.`from_port`=22
MATCH (src:ENI) - [:`ip_assigned`] - (sip:IP)
MATCH (src:ENI) - [:`belong_to`] - (v:VPC)
MATCH (dst:ENI) - [:`ip_assigned`] - (dip:IP)
WHERE c.`start_ip_int` <= dip.`ip_int` AND c.`end_ip_int` >=dip.`ip_int`
MATCH (dst:ENI) - [:`belong_to`] - (:Subnet) - [:`route_to`] - (:`EC2RouteTable`) - [rt:`route_to`] - (:PeeringConnection) - [:peering] - (v:VPC)
WHERE rt.`start_ip_int`<=sip.`ip_int` AND rt.`end_ip_int`>=sip.`ip_int`
// WITH COUNT(src) AS managed_count, dst
// WHERE managed_count > 1
// ORDER BY managed_count DESC
// LIMIT 30
// RETURN dst.`resource_id`, dst.`private_ip_addr`, dst.`owner_id`, managed_count
RETURN src,dst limit 25
Please note that the
srchere refers to thesrcwe started querying instead of thesrcaccessed by the network. We start from the ingress rule, sosrcrefers to the accessed eni, anddstrefers to the visitor. That means,dst-> 22 ->src.