Sections in this category

Network connections & zones

  • Updated

What network traffic is allowed between internal and external (i.e. between trusted and untrusted) networks?

Find Firewall as fw
  that ALLOWS as r (Network|Host) with
    internal=undefined or internal=false as n
return
  fw.tag.AccountName, fw._type, fw.displayName, fw.description,
  r.ipProtocol, r.fromPort, r.toPort,
  n.displayName, n.CIDR, n.ipAddress
order by
  fw.tag.AccountName

What production resources are directly connected/exposed to the Internet/everyone?

Find (Internet|Everyone)
  that relates to * with
    tag.Production=true and
    _class!='Firewall' and
    _class!='Gateway' as resource
return
  resource.tag.AccountName, resource._type,
  resource.name, resource.description,
  resource.classification
order by
  resource.tag.AccountName

What endpoints directly connected to the Internet?

Find aws_subnet with public=true as n
  that HAS aws_instance as i
  that PROTECTS aws_security_group as sg
  that ALLOWS as rule Internet
return
  n.displayName as subnet,
  i.displayName as instance,
  sg.displayName as SG, sg.groupId, sg.vpcId as VPC,
  sg.tag.AccountName as Account, sg.webLink,
  rule.ipProtocol, rule.fromPort, rule.toPort

Returns a graph instead using return tree at the end

Find aws_subnet with public=true as n
  that HAS aws_instance as i
  that PROTECTS aws_security_group as sg
  that ALLOWS as rule Internet
return tree

What storage is directly connected to the internet?

Find databases that are public:

Find Database with public=true

Find data stores (including AWS S3 buckets) that allows public access:

Find DataStore that allows Everyone

What are my proxies, relays or load balancers?

Find Gateway

Network layer gateways including AWS internet gateways, network load balancers, etc.:

Find Gateway with category='network'

Application layer gateways including API gateways, application load balancers, etc.:

Find Gateway with category='application'

More specifically, find AWS ELB application and network load balancers:

Find (aws_alb|aws_nlb)

Are there potential IP collisions among the networks/subnets in my environment?

Find subnets within the same VPC that have the same CIDR:

Find Network as n1 that has aws_vpc as env that has Network as n2
where
  n1.CIDR=n2.CIDR
return
  n1.displayName, n1.CIDR, n1.region,
  n2.displayName, n2.CIDR, n2.region,
  env.displayName, env.tag.AccountName
order by env.tag.AccountName

Find VPCs in the same AWS account that have the same CIDR:

Find aws_vpc as n1
  that has (Account|Service) as env
  that has aws_vpc as n2
where
  n1.CIDR=n2.CIDR
return
  n1.displayName, n1.CIDR, n1.region,
  n2.displayName, n2.CIDR, n2.region,
  env.displayName, env.tag.AccountName
order by env.tag.AccountName

Filters out default VPCs:

Find aws_vpc with defaultVpc!=true as n1
  that has (Account|Service) as env
  that has aws_vpc with defaultVpc!=true as n2
where n1.CIDR=n2.CIDR
return
  n1.displayName, n1.CIDR, n1.region,
  n2.displayName, n2.CIDR, n2.region,
  env.displayName, env.tag.AccountName
order by env.tag.AccountName

Are wireless networks segmented and protected by firewalls?

Requires an integration such as Cisco Meraki, or by adding the wireless network configuration information via the J1 API.

Find Network with wireless=true as n
  that (HAS|CONTAINS|CONNECTS|PROTECTS) (Gateway|Firewall)
    with category='network' as g
  that (CONNECTS|ALLOWS|PERMITS|DENIES|REJECTS) as r *
return
  n.displayName as Network, n._type as NetworkType,
  n.cidr as CIDR, n.environment as Environment,
  g.displayName as Gateway, g._type as GatewayType,
  r._class, r.ipProtocol, r.fromPort, r.toPort

Are there VPN configured for remote access?

Performs a full text search to see if any indexed data that matches the search string 'vpn' is a VPN Host, a VPN Device, a VPN Network or a VPN Gateway:

'vpn' with
  _class=('Host' or 'Device' or 'Network' or 'Gateway')

Is there proper segmentation/segregation of networks?

Find Network with internal=true as n
  that (HAS|CONTAINS|CONNECTS|PROTECTS) (Gateway|Firewall)
    with category='network' as g
return
  n.displayName as Network,
  n._type as NetworkType,
  n.CIDR as CIDR,
  n.tag.AccountName as Account,
  n.internal as Internal,
  g.displayName as Gateway,
  g._type as GatewayType

Show all inbound SSH firewall rules across my network environments.

Find Firewall as fw
  that ALLOWS as rule * as src
where rule.ingress=true and
  rule.ipProtocol='tcp' and
  rule.fromPort<=22 and rule.toPort>=22
return
  fw.displayName,
  rule.ipProtocol, rule.fromPort, rule.toPort,
  src.displayName, src.ipAddress, src.CIDR

Is inbound SSH allowed directly from an external host or network?

Find Firewall as fw
  that ALLOWS as rule (Host|Network)
    with internal=false or internal=undefined as src
where
  rule.ingress=true and rule.ipProtocol='tcp' and
  rule.fromPort<=22 and rule.toPort>=22
return
  fw.displayName,
  rule.fromPort, rule.toPort,
  src.displayName, src.ipAddress, src.CIDR

Show listing of network layer firewall protection or SGs across all my environments.

Find Firewall as f that PROTECTS Network as n
return f.displayName as firewall, n.displayName as network
Find Firewall with category='network'

Show cross-vpc/network trust (i.e. what services in one hosting env are configured to trust services in another)

To be added.

🔝

Was this article helpful?

2 out of 2 found this helpful