{"id":22499173,"url":"https://github.com/wanmail/know-your-network","last_synced_at":"2026-01-29T22:03:00.885Z","repository":{"id":266808360,"uuid":"899395254","full_name":"wanmail/Know-Your-Network","owner":"wanmail","description":"This is a comprehensive tool for analyzing and visualizing hybrid network architectures across multiple cloud providers, accounts, and on-premise data centers. This tool leverages Neo4j graph database to provide insights into complex network relationships and configurations.","archived":false,"fork":false,"pushed_at":"2024-12-06T08:18:28.000Z","size":769,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-12-06T09:22:44.467Z","etag":null,"topics":["aws","neo4j","network-analysis","network-visualization","reachability-analyzer","zero-trust-network"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wanmail.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-06T07:16:18.000Z","updated_at":"2024-12-06T08:18:31.000Z","dependencies_parsed_at":"2024-12-06T09:22:49.131Z","dependency_job_id":"c8824876-613b-4a01-8865-a9a47836857f","html_url":"https://github.com/wanmail/Know-Your-Network","commit_stats":null,"previous_names":["wanmail/know-your-network"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wanmail%2FKnow-Your-Network","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wanmail%2FKnow-Your-Network/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wanmail%2FKnow-Your-Network/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wanmail%2FKnow-Your-Network/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wanmail","download_url":"https://codeload.github.com/wanmail/Know-Your-Network/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228531290,"owners_count":17933244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","neo4j","network-analysis","network-visualization","reachability-analyzer","zero-trust-network"],"created_at":"2024-12-06T22:11:31.642Z","updated_at":"2026-01-29T22:03:00.834Z","avatar_url":"https://github.com/wanmail.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Know Your Network\n\nWhen you join a new company, you will be faced with a complex network architecture left over from history. How to quickly sort out the network architecture and transform it according to the principles of zero trust?\n\nThis is a comprehensive tool for analyzing and visualizing hybrid network architectures across multiple cloud providers, accounts, and on-premise data centers. This tool leverages Neo4j graph database to provide insights into complex network relationships and configurations.\n\n## Why Not?\n### AWS Reachability Analyzer\nReachability Analyzer can help us to [discover network paths across multiple AWS Regions](https://aws.amazon.com/cn/blogs/networking-and-content-delivery/using-vpc-reachability-analyzer-to-discover-network-paths-across-multiple-aws-regions/).\n\nHowever, it does not support cross-account and multi-cloud environments.\n\nBut we can use its network path to design `neo4j relationships`.\n\n![alt text](./docs/image/reachability-analyzer.png \"https://aws.amazon.com/cn/blogs/networking-and-content-delivery/using-vpc-reachability-analyzer-to-discover-network-paths-across-multiple-aws-regions/\")\n\n### cartography\n[cartography](https://github.com/cartography-cncf/cartography) can help us to consolidates infrastructure assets and the relationships.\n\nHowever, it does not include network relationships, such as routing tables, ACLs, security groups, etc.\n\n\n## Features\n\n- Network relationship mapping\n- Graph-based network analysis\n- Support for multiple resources:\n  - AWS\n    - VPCs\n    - Subnets\n    - Network Interfaces (ENIs)\n    - Security Groups\n    - Transit Gateways\n    - VPC Peering Connections\n    - Route Tables\n    - NACL (TODO)\n    - ELB (TODO)\n    - Prefix lists (TODO)\n    - VPN/Direct Connect (TODO)\n    - Route53 (TODO)\n  - Fortigate(TODO)\n    - IP Addresses\n    - Firewall Policies\n    - Ipsec tunnels\n  - Cloudflare(TODO)\n- Support for multiple resource collect methods:\n  - AWS\n    - API\n      - Boto3 Common authentication\n      - AWS SSO authentication\n    - Config Service(TODO)\n      - API collect\n      - S3 snapshot collect\n  \n## How to Use\n\n### Prerequisites\n- Docker and Docker Compose\n- AWS credentials (if collecting AWS data)\n- Python 3.9+ (if running locally)\n\n### Quick Start with Docker\n1. Clone the repository\n```\ngit clone https://github.com/wanmail/Know-Your-Network.git\n```\n\n2. Create `.env` file with Neo4j credentials\n```\nNEO4J_USER=neo4j\nNEO4J_PASSWORD=your_secure_password\n```\n\n3. Configure your data source in `config.yml`,  see [Configuration Options](#Configuration)\n\n4. Start the services\n```\ndocker-compose up -d\n```\n\n5. Access Neo4j browser at http://localhost:7474 to query your network data\n\n6. Start analyzer every time\n```\ndocker-compose up -d analyzer\n```\n\n7. Start analyzer in dev mode(Please uncomment in `docker-compose.yml` first)\n```\ndocker-compose up -d analyzer-dev\n```\n\n### Local Installation\n\n1. Install dependencies\n```\npip install -r requirements.txt\n```\n\n2. Install Neo4j labels\n```\nneomodel_install_labels analyzer.models.network analyzer.models.aws {neo4j_url}\n```\n\n1. Configure your data source and neo4j in `config.yml` , see [Configuration Options](#Configuration)\n\n2. Run the analyzer\n```\npython main.py\n```\n\n\u003ca name=\"Configuration\"\u003e\u003c/a\u003e\n### Configuration Options\n\n```yaml\n# If set debug, API call will save response in `export` directory, and you can load data directly from local instead of pulling it through API.\ndebug: true\n\n# neo4j url\nneo4j: \"bolt://neo4j:neo4j@localhost:7687\"\n\n# Data source config\n```\n- [AWS Source](./docs/aws.md)\n\n## Example Cypher\nRefer to `examples` directory.\n\n### Discover vpc peering connect\n```\nMATCH p=()-[r:peering]-\u003e() RETURN p limit 25\n```\n\n![alt text](./docs/image/peering.png)\n\n### Discover tgw connect\n```\nMATCH (t:TGW) \u003c- [:belong_to] - (a:TGWAttachment) - [:tgw_attach]-(v:VPC) RETURN t,a,v limit 25\n```\n![alt text](./docs/image/tgw.png)\n\n### Find public eni\nWhich has a public ip address and security group has a ingress permission to internet address. \n\n```\nMATCH (e:ENI) \nWHERE e.public_ip_addr IS NOT NULL AND e.public_ip_addr \u003c\u003e ''\n\nMATCH (e) - [:`with_policy`] - (:SecurityGroup) - [i:ingress] - (c:Cidr)\nWHERE NOT ( (c.`start_ip_int`\u003e=167772160 AND c.`start_ip_int` \u003c= 184549375)\nOR (c.`start_ip_int`\u003e=2886729728 AND c.`start_ip_int` \u003c= 2887778303)\nOR (c.`start_ip_int`\u003e=3232235520 AND c.`start_ip_int` \u003c= 3232301055))\n// AND NOT (c.`start_ip_int` = c.`end_ip_int`) \n\nRETURN e limit 25\n```\n\n### Find SSH access via VPC peering\n```\nMATCH (src:ENI) - [:`with_policy`] - (sg:SecurityGroup) - [i:ingress] - (c:Cidr)\nWHERE i.`from_port`=22\n\nMATCH (src:ENI) - [:`ip_assigned`] - (sip:IP)\n\nMATCH (src:ENI) - [:`belong_to`] - (v:VPC)\n\nMATCH (dst:ENI) - [:`ip_assigned`] - (dip:IP)\nWHERE c.`start_ip_int` \u003c= dip.`ip_int` AND c.`end_ip_int` \u003e=dip.`ip_int`\n\nMATCH (dst:ENI) - [:`belong_to`] - (:Subnet) - [:`route_to`] - (:`EC2RouteTable`) - [rt:`route_to`] - (:PeeringConnection) - [:peering] - (v:VPC)\nWHERE rt.`start_ip_int`\u003c=sip.`ip_int` AND rt.`end_ip_int`\u003e=sip.`ip_int`\n\n// WITH COUNT(src) AS managed_count, dst\n// WHERE managed_count \u003e 1\n\n// ORDER BY managed_count DESC\n// LIMIT 30\n\n// RETURN dst.`resource_id`, dst.`private_ip_addr`, dst.`owner_id`, managed_count\n\nRETURN src,dst limit 25\n```\n\n\u003e Please note that the `src` here refers to the `src` we started querying instead of the `src` accessed by the network. We start from the ingress rule, so `src` refers to the accessed eni, and `dst` refers to the visitor.\n\u003e That means, `dst` -\u003e 22 -\u003e `src` .","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwanmail%2Fknow-your-network","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwanmail%2Fknow-your-network","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwanmail%2Fknow-your-network/lists"}