Traditional network security in a company is implemented by segmenting the network into smaller parts with perimeters between them. The reason for this is mainly that conventional firewalls work only at the perimeter between network segments.


For this reason, we have implemented our 

concept of enriched network objects that apply policy rules to traffic initiated from and directed to devices in the network.
Using static and dynamic network objects, Threat Defender provides an overlay security network . These objects are used to adapt the network segmentation dynamically and at runtime based on the network behavior without requiring a change in the existing network topology. Segments may overlap.

Using network objects, you can segment your network in a logical manner and use these objects in security policies to add protection between the network segments. It is also possible to define overlapping segments. Network objects are used in rules and policies to match source and destination hosts. You can use a network object in multiple rules simultaneously. There is no need to define it in every single rule.

This means:

  • Any network object can be used in several rules.
  • You can apply a whole set of rules to a group of devices without redefining the group for each rule.
  • When a device is part of several network objects, multiple policies can be layered and applied to that device.

There are two types of network objects: static and dynamic network objects.

The following simple example workflow illustrates how network segmentation using static and dynamic network objects can be effected:

  1. Static network objects segment the network based on the purpose of the devices. The dynamic network object called "Isolated" is used to isolate hosts displaying suspicious behavior from the remaining network, i.e. other hosts, internal ressources, etc.

    dynamic segmentation workflow 1
    Figure: Network segmentation using static and dynamic network objects.
  2. Using rules, Threat Defender monitors the communication behavior in the network to detect any unwanted or suspicious behavior.

    dynamic segmentation workflow 2
    Figure: Threat Defender detects unwanted behavior in one of the clients.
  3. Using a rule, the respective client is added to the dynamic network object.

    dynamic segmentation workflow 3
    Figure: A rule adds the concerned host to the dynamic network object.
  4. Another rule drops all communication from hosts in the dynamic network object. Thereby, the suspicious host is isolated from the remaining network.

    dynamic segmentation workflow 4
    Figure: Any traffic from hosts in the dynamic network object is dropped, isolating them from the remaining network.

Static Network Objects

Static network objects are used to group hosts and devices. They are used globally, meaning they are available for all rules. Several attributes can be used to assign devices to a network object:

  • Inclusion and exclusion of individual IP addresses and networks in CIDR notation, both in IPv6 and IPv4
  • Inclusion and exclusion of individual MAC addresses and MAC address ranges
  • Physical network interfaces on the device
  • VLAN tags

You can define static network objects using just one or any combination of these attributes. 

For example, it is possible to have a network object that matches all devices in VLAN 21.
But you can also have very specific conditions, e.g. only devices with IP network 10.10.10.0/27 in VLAN 5 and connected to the physical interface eth8 of the device match.

See Creating Static Network Objects for further information.

Dynamic Network Objects

Dynamic network objects are used to track the state of hosts and create host groups with common behavior on the fly. The hosts of the group share a specific characteristic or property that is not static but depends on events happing dynamically in the running system. Based on this behavior, a specific set of policies is applied to them. This allows the policy engine to adapt to changing situations. It dynamically controls what rules are applied to different groups of hosts in real time.

Dynamic network objects are lists of individual IPv6 and IPv4 addresses or MAC addresses. IP or MAC addresses can be added dynamically and are removed either by an explicit rule action or automatic timeout.

cognitix added a new type of action to the policy rule language to add the source or destination IP of a flow to a dynamic network object. These dynamic network objects can then be used to match source and destination of flows in other rules to dynamically apply policies to all traffic of a device depending on the behavior of that device. This allows for automatic network protection without the need to manually maintain long, unordered network object lists.

In combination with the correlation engine, the dynamic network objects allow you to react to changed or unwanted behavior using policies for the device and not just for a single flow.

Dynamic network objects can be global (available for all rules) or be defined and used within a correlation scenario.

Using dynamic network objects, you can for example:

  • Easily define a policy that automatically adds all source hosts in the network to a dynamic network object that were found to be infected by the IPS. You can then implement various access restriction policies for that object.
  • Using the timeout feature of dynamic network objects, you can block hosts for a certain amount of time.




Additional Information

For more information, please check our homepage for more information on Behavior Based Correlation and Dynamic Network Objects.