Traditional network security in a company is implemented by segmenting the network into smaller parts with perimeters between them. The reason for this is mainly that conventional firewalls work only at the perimeter between network segments.

For this reason, we have implemented our concept of enriched network objects that apply policy rules to traffic initiated from and directed to devices in the network.
Using static and dynamic network objects, Threat Defender provides an overlay security network. These objects are used to adapt the network segmentation dynamically and at runtime based on the network behavior without requiring a change in the existing network topology. Segments may overlap.

You can use network objects in multiple rules simultaneously. This means:

  • Any network object can be used in several rules.
  • You can apply a whole set of rules to a group of devices without redefining the group for each rule.
  • When a device is part of several network objects, multiple policies can be layered and applied to that device.

There are two types of network objects: static and dynamic network objects.

The following simple example workflow illustrates how network segmentation using static and dynamic network objects can be effected:

  1. Static network objects (SNOs) segment the network based on the purpose of the devices. The dynamic network object (DNO) called "RC" is used to isolate hosts that are remotely accessed. This way, specific rules can be applied to them, e.g. deny them access to internal resources, etc.

  2. Using rules, Threat Defender monitors the communication behavior in the network to detect any unwanted or suspicious behavior.Figure 1: Threat Defender detects unwanted behavior in one of the clients.

  3. Using a rule, the respective client is added to the dynamic network object.

    Figure 2: A rule adds the concerned host to the dynamic network object.
  4. Another rule rejects all communication from hosts in the dynamic network object to the internal servers.

    Figure 3: Traffic from hosts in the dynamic network object to the internal servers is rejected.

Static Network Objects

Static network objects are used to group hosts and devices. They are used globally, meaning they are available for all rules. Several attributes can be used to assign devices to a network object:

  • Inclusion and exclusion of individual IP addresses and networks in CIDR notation, both in IPv6 and IPv4
  • Inclusion and exclusion of individual MAC addresses and MAC address ranges
  • VLAN tags

You can define static network objects using just one or any combination of these attributes. 

For example, it is possible to have a network object that matches all devices in VLAN 21.
But you can also have very specific conditions, e.g. only devices with IP network in VLAN 5 match.

Dynamic Network Objects

Dynamic network objects are used to track the state of hosts and create host groups with common behavior on the fly. The hosts of the group share a specific characteristic or property that is not static but depends on events happening dynamically in the running system. Based on this behavior, a specific set of policies is applied to them. This allows the policy engine to adapt to changing situations. It dynamically controls what rules are applied to different groups of hosts in real time.

Dynamic network objects are lists of individual IPv6 and IPv4 addresses or MAC addresses. IP or MAC addresses can be added dynamically and are removed either by an explicit rule action or automatic timeout.

cognitix Threat Defender adds a new type of action to the policy rule language to add the source or destination IP of a flow to a dynamic network object. These dynamic network objects can then be used to match source and destination of flows in other rules to dynamically apply policies to all traffic of a device depending on the behavior of that device. This allows for automatic network protection without the need to manually maintain long, unordered network object lists.

In combination with the correlation engine, the dynamic network objects allow you to react to changed or unwanted behavior using policies for the device and not just for a single flow.

Dynamic network objects can be global (available for all rules) or be defined and used within a correlation scenario.

Using dynamic network objects, you can for example:

  • Easily define a policy that automatically adds all source hosts in the network that trigger a certain number of threat intelligence incidents to a dynamic network object. You can then implement various access restriction policies for that object.
  • Using the timeout feature of dynamic network objects, you can block hosts for a certain amount of time.

Additional Information

For more information, see the Threat Defender user documentation or contact us.