Dynamic Network Segmentation

Traditional networks within a company are secured by segmenting the network into smaller physical segments, separated by defined perimeters. This is mainly because current firewalls can only operate at the perimeter between network segments. Cognitix has overcome this limitation using the concept of enriched network objects.

Network Objects

Enriched network objects are used to group hosts and devices together based on attributes that can be used to determine which devices are part of a network object. These attributes are:

Any combination of above attributes can be used to define which devices are part of a network object. The network objects are flexible as they can be defined broadly using only one of the above attributes. For example, it is possible to have a network object that matches all devices in VLAN 21, but we can also introduce very specific conditions where only devices with IP network in VLAN 5 and connected to the physical interface eth8 of the firewall are matched.

The administrator in other next-generation firewall has to define many items, such as interface, zone, VLAN, host IP addresses in separate sections and then implement them all individually in each firewall rule. Cognitix has removed that complication and merged these items into a simple but powerful network object, where a network object is created once and can be used repeatedly in multiple rules simultaneously.

Network objects are used in the firewall rules to match the source and destination IP addresses of flows. Cognitix applies firewall rules to the traffic initiated to, and from, devices in the network using network objects. Network objects are defined once and can be used in several rules to apply a whole set of rules to a group of devices without redefining the group for each rule. Several different sets of rules can be applied to a device as a device can be part of several network objects at the same time. Multiple policies can be layered and applied to a device as it is part of several network objects.

Administrators can use Cognitix network objects to easily create logical network segments, introducing these objects in security policies to add protection between their network segments.

Dynamic Network Objects

To extend the functionalities of static network objects, cognitix developed the concept of dynamic network objects. These are lists of individual IPv6 and IPv4 addresses in which addresses can be added dynamically and are removed either by explicit action or by an automatic timeout. The functionality of dynamic network objects has been extended by adding a new type of action to the firewall rule language. This action adds the source or destination IP of a flow to a dynamic network object. The dynamic network objects can then be used to match source and destination IP addresses of flows in further firewall rules to dynamically apply policies to all traffic of a device depending on the behavior of that device.

This is a radically new concept that has never been seen before in any other firewall. This is a paradigm shift in firewall rule management. Dynamic network objects can bring automation to network protection and prevent administrators from manually maintaining huge and unwieldy network object lists.

Administrators using contemporary firewalls have to consult reports and find the hosts in the office network which have contacted URLs with a bad reputation score. They then need to create a new network object and manually assign those hosts. Then they have to add a policy to restrict to that network object that denies its access to important database servers.  If the next day another host in the network visits another URL with low-reputation score, that host would not get blocked by the same policy since the host is not included in the network. The cognitix Threat Defender would create a simple firewall rule to add visitors of bad reputation URLs to a dynamic network object ‘bad reputation visitors’. A second firewall rule would deny that network object access to the important assets within the company. These two firewall rules would be automatically effective for weeks without the need for the administrator to look at a single report to find misbehaving hosts or to edit a list of hosts.

Another problem with contemporary firewalls is the inability to completely block access of internal hosts to the rest of the network once the intrusion prevention system, or other malware detection systems, has identified these hosts as infected. The administrator has to manually sync the list of offenders from the IPS with those of the blocked hosts in the firewall. None of these hosts in the network object will be able to retrieve their access rights after the issues have been resolved until the administrator has removed these issues manually. By using dynamic network objects, administrators can easily define a policy to automatically add all source hosts in the network where the IPS has found an infection into a dynamic network object. The various access restriction policies can then can be applied on that object. The administrator does not need to manually find the offending, and possibly compromised, hosts in the reports nor to add them to the network object on a daily basis. The entire process is done automatically, without further involvement by the administrator. The timeout feature of dynamic network objects blocks those special hosts for defined amount of time, and not until the network administrator remembers to reinstate them.

In combination with the correlation engine described above, the dynamic network objects allow for a reaction to changed or unwanted behavior with policies that apply to the whole device and not just on a single flow.

Read the paper to learn more