A computing device is configured to retrieve network security configuration information from a computer network and generate a security configuration map which readily enables a user to detect defects in the security configuration with respect to a security policy. The computing device retrieves firewall configurations from security appliances in the network which operate firewalls, and processes the firewall configurations to generate a set of corresponding standardized firewall configurations. These are processed to identify enclaves containing network nodes which are associated with respective security sensitivity values based on the security policy. The computing device monitors and detects inter-node network traffic. The computing device generates a map representing the network nodes and security appliances, the security enclaves, the respective security sensitivity values, and the network traffic flows, thereby rendering readily visible inconsistencies between the actual security configuration and traffic flows, and the security policy.