Creating network diagrams is a time-consuming process. As soon as your IT environment changes, the diagram requires updates. And these static diagrams don't lend themselves to answering dynamic, multi-part questions such as, "How are devices interacting within a tier, and how have those devices been interacting across the network in the last hour?"
Visio: the single source of "the way the network looked at some point in time."— Ethan Banks (@ecbanks) January 11, 2018
To ease the burden of diagram creation, the ExtraHop system provides live activity maps. Based on real-time transactions that occur over wire data, the ExtraHop system creates a visual map of the protocol-based connections between devices during a specific time interval. One click instantly reveals who is talking to a device and what those devices are saying.
Group filters were introduced in 7.1, and they increase the power of activity maps. Group filters help you quickly include and exclude devices from a map based on their protocol activity or device group membership.
This blog post provides examples on how to answer multiple questions with group filters.
(Here is a quick refresher on the types of groups in the ExtraHop system.)
See how devices within a group talk to each other
For our example, let's say you're managing a tier of virtual devices, and you created a device group that contains all of your VMware devices. Though note that you can filter connections for any device group or activity group, such as a group that contains your file servers or development boxes.
Navigate to the VMware device group in the ExtraHop system and then click Activity Map in the upper right corner. As shown in the following figure, we now see the first step of connections between VMware devices and peer devices on the network.
Our first question: can we only see the east-west connections among the devices within the group? To find the answer, let's filter this first step of connections to only include the VMware devices. Voila! Now we see just the connections among the group devices.
See how devices in a tier interact with the outside world
Our next question: can we see the north-south traffic from our tier to the rest of the network? We'll start with the same map, but this time we'll apply a filter to all peer devices to exclude VMware devices. You would apply this exclusion criteria if you wanted to find out which other devices are talking to your group.
Find a device with unauthorized traffic
The exclusion criteria we demonstrated above is useful for identifying possible non-compliant connections, but we can do even better. Let's say that all of the devices in our VMware tier should be locked down to internal traffic only. We want to make sure that no unauthorized connections are occurring, especially over DNS.
DNS can be easily overlooked because it is an essential service. But activity maps make it easier to detect sneaky infrastructure attacks, such as DNS hijacking, that might otherwise be invisible on a static network diagram.
We'll start by creating the same live activity map of the VMware device group. But this time we'll swap All Peers for DNS Servers as the first step of connections from our VMware devices, as shown in the figure below. By specifying that we only want to see servers receiving DNS requests from our VMware devices, we can more quickly narrow down the scope of our investigation.
Now let's say that you already have a device group that contains approved DNS servers. Filter the DNS server connections to exclude the approved DNS servers.
Yikes! We see real-time connections to an unauthorized DNS server, which is a cause for concern.
The next question: who else in the network is connecting to this rogue server? Let's continue with the same map. Now we'll add a new step of DNS clients to see all of the other network devices sending DNS requests to this rogue DNS server.
Double yikes! Our activity map reveals that many devices in the network are sending DNS requests to this rogue DNS server, called polaris, within the last 30 minutes. If you want to see the other activity that the polaris server is up to, click the map node and then click polaris from the menu to open its protocol page. You can also click a specific connection between this server and a client to investigate transaction-level records, if you have an ExtraHop Explore appliance.
By applying group filters to our live activity maps, we learned a lot about the real-time interactions for our VMware device group. We also collected valuable information about recent suspicious activity, which might have gone undetected for several hours or days.
Hopefully these examples spark your imagination about how to answer questions with live activity maps. If you have other scenarios that come to mind, please share those with the community in the comment box below.
To learn more about activity maps, see the following topics:
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/supercharge-activity-maps-with-group-filters/