Clarity

In this topic:

    Dome9 Clarity gives a graphical visualization of the Security Groups in your cloud environment, and their effects on the cloud assets in the environment. It shows the Security Groups, traffic sources, and permitted traffic paths in the cloud network. The view is organized logically, according to the level of exposure of the Security Group to the external world.

    There are two main views in Clarity. The Security Groups view, shows all the Security Groups and the traffic flows in the network, from most exposed to most internal. The second view, the Effective Policy view, shows the Security Groups as they affect assets in the environment (such as instances). In this view, Security Groups that affect the same asset are grouped together, and Security Groups that do not affect any assets are not shown. You can switch between the two views.

    In each view, you can see details for individual Security Groups and then drill down to show further details for the Security Group rules and the instances affected by it.

    You can view environments in all three cloud providers. Some of the details shown in the views vary according to the provider.

    You can also view AWS CloudFormation Templates (CFT), to visualize environments in the design stage and not yet deployed.

    You can use Clarity to analyze your cloud network for security issues such as access to sensitive components from the internet, or to troubleshoot it for connectivity issues such as blocked paths to components.

    Benefits

    • logical visualization of inbound traffic to your VPC and its components, and the cloud perimeter

    • visualize complex networks (e.g., with many instances, cross-VPC, cross-region)

    • easily identify security issues, blocked paths

    • Effective Policy view aggregates Security Groups that affect common cloud instances, and hides those that don't affect any instances, giving a simplified view

    • agentless & automated information gathering from Cloud environments

    • auto-classification of protected cloud assets based on level of exposure to the outside world

    • real-time topology map of security groups and interrelationships between security policies

    • visualization of traffic flow and dropped traffic between cloud assets - security groups, instances, etc.

    • visualization of architecture templates (e.g., AWS CFTs) to inspect and collaborate prior to deployment

    • provide real-time topology of cloud assets

    • get a clear understanding of the interplay between security policies for multi-tier applications and the effective security posture in a cloud environment

    • similar cross-cloud security visualization experience

    • contextual VPC flow logs

    • visual virtual networks connectivity

    Use Cases

    • uncover network security and operational issues

    • understand the security relations between elements in the virtual network

    • inspect the real-time traffic running through the elements in the VPC

    • find elements with identical security configurations

    • understand the connections between virtual networks

    • troubleshoot a new cloud environment: blocked/open connections etc; redundant, contradictory policies

    • evaluate a cloud design (template)

    • real-time evaluation of changes to a cloud deployment or security policies

     
     

    How to use Clarity

    The following sections explain how to select and then visualize a cloud environment in Clarity, how to use the different views, and the actions you can perform to see additional information.

    Select a cloud environment

    The first step in Clarity is to select the cloud environment to visualize.

    1. Select Clarity from the main menu. A list of your cloud accounts is shown on the left.

    2. Select an account from the list. A list of regions is shown, in which you have cloud environments. The numbers in brackets indicate the number of assets.

    3. Select a region. The environments in the region are shown as blocks. for AWS accounts, connections between blocks indicate peering connections between environments.

    4. Click on a block, representing a cloud environment. The pane on the right shows the type and number of instances in the environment.

      For GPC accounts this detail appears like this: