Previous: Inspect server accounts
Inspect network traffic
Traffic Discovery provides visibility into patterns of network connections established with Halo-protected hosts. You can use Traffic Discovery to visualize the traffic patterns among Halo-protected hosts, as well as traffic between Halo-protected hosts and remote systems. The connection information comes from regular Halo scans of all of your protected servers.
Traffic Discovery gives you detailed information on inbound and outbound connections as well as open (listening) ports on any of your servers. You can then use that information to create firewall policies that allow acceptable traffic while blocking traffic that is unwanted or unnecessary to the functioning of your servers' systems and applications.
In the Halo portal, the Connections view of the Environment screen displays a snapshot of the last 32 days of connections within a server group or on an individual server.
What is a connection?
Traffic Discovery defines an inbound connection as a particular local user and process accepting communication from an entity at a specific remote IP address, using a particular communication protocol through a particular local port. Likewise, an outbound connection is communication by a particular local user and process, sent to a specific remote entity using a particular protocol through a particular remote port.
These definitions allow for specifying continuity and identity in connections. For example:
- If two consecutive scans of a given server show inbound or outbound connections that are identical by these criteria, they are tracked as the same connection. For example, a server's outbound TCP connection from local port 'a' to a remote endpoint's remote port 80, will be tracked as the same connection as another one using local port 'b'. The local port is not often a consideration for outbound connections, and the remote port is not often a consideration for inbound connections.
- The definitions also allow for comparing connections across all of the servers in your network, to determine how many instances of the "same" connection exist. The group-based views of inbound, outbound, and listening connections include counts of multiples of a given connection.
Get an instant visual display of all current and recent inbound and outbound connections between all of your Halo-protected hosts and with external entities. Use that information to design a set of narrowly targeted, high-security firewall policies across your network.
A. Enable Traffic Discovery
Note: Halo Traffic Discovery must be activated for your account before you can use it. If it is not yet activated and you would like it to be, contact your CloudPassage account representative.
Once Traffic Discovery is activated, you then enable it for individual server groups.
- In the group tree on the Environment screen, select the group for which you wish to use Traffic Discovery.
- Click the Settings view button, then click the Agent Settings subtab.
- Under Traffic Discovery Scanning, click "Enable on this group". Traffic Discovery scans of this group's servers will begin immediately.
B. View a server group's inbound connections (list view)
- In the group tree, verify that your Traffic Discovery-enabled server group is selected, then click the Connections view button. A table appears that lists default information for each of the (unique) connections on that server.
- Click the Columns button on the top right, and click Inbound Firewall to display columns of most use in designing inbound firewall rules. Optionally add a few more useful columns from the Columns selector and close the selector.
Note that the search filter "Inbound" has automatically been added to the display to remove all outbound connections from the list. Note also that some of the displayed columns are different from those in the default view.
- For each connection (each row), note the values of the local attributes on the left (Local Group and Local Port in the above example) and the remote attributes on the right (Protocol and Remote Context). Use that information, possibly with other columns that you might display, to decide whether you want that connection to be allowed or prohibited in your firewall policy for this server's group.
In the above example, we can infer that the inbound connections are from a variety of remote servers, apparently all of them external to Halo (because remote context is unknown). All appear to be using TCP protocol, and many come through port 22, on which the secure shell process is running. They connect to several different local server groups.
The connections through port 22 and running SSH appear to be standard server-administrator connections, and so should be permitted by appropriate firewall rules in your policy. The single connection to the "bern" server group through port 631 and using the cupsd protocol is remote access for printing purposes, and might be considered for passing or for blocking by the firewall, depending on whether the servers in this group should be accepting such connections.
C. View a group's inbound connections (visualization)
- To view connections as graphical visualizations, click the visualization toggle ( ) at the top of the Connections view. The list of connections changes to a graphical depiction.
- The visualization displays the same set of columns as in the list view, but again you can use the Columns selector to change the display as you wish. For example, you might decide that the Remote IP address column (on the right) is too cramped and unreadable, so you might remove it or replace it with one of the several columns that group the IP addresses into several categories.
In the visualization you can see the entire set of connections (298 in the above example) at one glance, which gives you immediate information on what actual remote servers, protocols, processes, ports, and so on are involved across the whole server group. It also gives you an immediate sense of the relative frequency of various types of connection. For example, it is apparent that the majority of connection into this group are the administrative connections mentioned earlier, plus the many connections to the Microsoft Service Host (svchost.exe), which may indicate that this group of Windows servers is dependent on running a large number of services—or maybe that it is running more services than it needs to—and you may be able to remove some of them.
C. Dig deeper
There are many other ways to manipulate your connection data in the portal. Besides inbound connections, you can examine outbound connections or open (listening) ports for any of your server groups or any individual server. You can view a set of connections across many more (or fewer) dimensions than those shown in these examples. Also, especially in the visualizations, you can zoom in or zoom out of certain columns to see either much finer detail or a much broader picture of your network activity.
With this information, you should be able to design very tightly constrained and customized host firewalls that allow each server in each server group the ability to grant appropriate access to all entities that need the access, but to no others.
// <![CDATA[ var pdfTitle="Halo QuickStart and Tour"; var pdfURL="http://res.cloudinary.com/ljufltxil/image/upload/document_images/quickstart2/halo-quickstart-and-tour.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>