Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Network Connections and Zones - AskJ1 Community
<main> <article class="userContent"> <h4 data-id="what-network-traffic-is-allowed-between-internal-and-external-i-e-between-trusted-and-untrusted-networks">What network traffic is allowed between internal and external (i.e. between trusted and untrusted) networks?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall as fw that ALLOWS as r (Network|Host) with internal=undefined or internal=false as n return fw.tag.AccountName, fw._type, fw.displayName, fw.description, r.ipProtocol, r.fromPort, r.toPort, n.displayName, n.CIDR, n.ipAddress order by fw.tag.AccountName </pre> <h4 data-id="what-production-resources-are-directly-connected-exposed-to-the-internet-everyone">What production resources are directly connected/exposed to the Internet/everyone?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (Internet|Everyone) that relates to * with tag.Production=true and _class!='Firewall' and _class!='Gateway' as resource return resource.tag.AccountName, resource._type, resource.name, resource.description, resource.classification order by resource.tag.AccountName </pre> <h4 data-id="what-endpoints-directly-connected-to-the-internet">What endpoints directly connected to the Internet?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_subnet with public=true as n that HAS aws_instance as i that PROTECTS aws_security_group as sg that ALLOWS as rule Internet return n.displayName as subnet, i.displayName as instance, sg.displayName as SG, sg.groupId, sg.vpcId as VPC, sg.tag.AccountName as Account, sg.webLink, rule.ipProtocol, rule.fromPort, rule.toPort </pre> <p>Returns a graph instead using <code class="code codeInline" spellcheck="false" tabindex="0">return tree</code> at the end</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_subnet with public=true as n that HAS aws_instance as i that PROTECTS aws_security_group as sg that ALLOWS as rule Internet return tree </pre> <h4 data-id="what-storage-is-directly-connected-to-the-internet">What storage is directly connected to the internet?</h4> <p>Find databases that are public:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Database with public=true </pre> <p>Find data stores (including AWS S3 buckets) that allows public access:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find DataStore that allows Everyone </pre> <h4 data-id="what-are-my-proxies-relays-or-load-balancers">What are my proxies, relays or load balancers?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Gateway </pre> <p>Network layer gateways including AWS internet gateways, network load balancers, etc.:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Gateway with category='network' </pre> <p>Application layer gateways including API gateways, application load balancers, etc.:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Gateway with category='application' </pre> <p>More specifically, find AWS ELB application and network load balancers:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find (aws_alb|aws_nlb) </pre> <h4 data-id="are-there-potential-ip-collisions-among-the-networks-subnets-in-my-environment">Are there potential IP collisions among the networks/subnets in my environment?</h4> <p>Find subnets within the same VPC that have the same CIDR:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network as n1 that has aws_vpc as env that has Network as n2 where n1.CIDR=n2.CIDR return n1.displayName, n1.CIDR, n1.region, n2.displayName, n2.CIDR, n2.region, env.displayName, env.tag.AccountName order by env.tag.AccountName </pre> <p>Find VPCs in the same AWS account that have the same CIDR:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_vpc as n1 that has (Account|Service) as env that has aws_vpc as n2 where n1.CIDR=n2.CIDR return n1.displayName, n1.CIDR, n1.region, n2.displayName, n2.CIDR, n2.region, env.displayName, env.tag.AccountName order by env.tag.AccountName </pre> <p>Filters out default VPCs:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find aws_vpc with defaultVpc!=true as n1 that has (Account|Service) as env that has aws_vpc with defaultVpc!=true as n2 where n1.CIDR=n2.CIDR return n1.displayName, n1.CIDR, n1.region, n2.displayName, n2.CIDR, n2.region, env.displayName, env.tag.AccountName order by env.tag.AccountName </pre> <h4 data-id="are-wireless-networks-segmented-and-protected-by-firewalls">Are wireless networks segmented and protected by firewalls?</h4> <p><em>Requires an integration such as Cisco Meraki, or by adding the wireless network configuration information via the J1 API.</em></p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network with wireless=true as n that (HAS|CONTAINS|CONNECTS|PROTECTS) (Gateway|Firewall) with category='network' as g that (CONNECTS|ALLOWS|PERMITS|DENIES|REJECTS) as r * return n.displayName as Network, n._type as NetworkType, n.cidr as CIDR, n.environment as Environment, g.displayName as Gateway, g._type as GatewayType, r._class, r.ipProtocol, r.fromPort, r.toPort </pre> <h4 data-id="are-there-vpn-configured-for-remote-access">Are there VPN configured for remote access?</h4> <p>Performs a full text search to see if any indexed data that matches the search string 'vpn' is a VPN Host, a VPN Device, a VPN Network or a VPN Gateway:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">'vpn' with _class=('Host' or 'Device' or 'Network' or 'Gateway') </pre> <h4 data-id="is-there-proper-segmentation-segregation-of-networks">Is there proper segmentation/segregation of networks?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Network with internal=true as n that (HAS|CONTAINS|CONNECTS|PROTECTS) (Gateway|Firewall) with category='network' as g return n.displayName as Network, n._type as NetworkType, n.CIDR as CIDR, n.tag.AccountName as Account, n.internal as Internal, g.displayName as Gateway, g._type as GatewayType </pre> <h4 data-id="show-all-inbound-ssh-firewall-rules-across-my-network-environments">Show all inbound SSH firewall rules across my network environments.</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall as fw that ALLOWS as rule * as src where rule.ingress=true and rule.ipProtocol='tcp' and rule.fromPort<=22 and rule.toPort>=22 return fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR </pre> <h4 data-id="is-inbound-ssh-allowed-directly-from-an-external-host-or-network">Is inbound SSH allowed directly from an external host or network?</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall as fw that ALLOWS as rule (Host|Network) with internal=false or internal=undefined as src where rule.ingress=true and rule.ipProtocol='tcp' and rule.fromPort<=22 and rule.toPort>=22 return fw.displayName, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR </pre> <h4 data-id="show-listing-of-network-layer-firewall-protection-or-sgs-across-all-my-environments">Show listing of network layer firewall protection or SGs across all my environments.</h4> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall as f that PROTECTS Network as n return f.displayName as firewall, n.displayName as network </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find Firewall with category='network' </pre> <h4 data-id="show-cross-vpc-network-trust-i-e-what-services-in-one-hosting-env-are-configured-to-trust-services-in-another">Show cross-vpc/network trust (i.e. what services in one hosting env are configured to trust services in another)</h4> <p><em>To be added.</em></p> </article> </main>