Network
Purpose
The Network object is representing network connectivity, like a VLAN. It is, strictly speaking, defining which applications are able to communicate with each other with no restrictions. It is not concerned about if the applications are on different network equipment or in different locations.
Connections
Application
An Application can be connected to a Network via NetworkExposure or ClientAccess.
Please see the Application section for more information.
RoutingFirewall
A RoutingFirewall can be connected to Network via NetworkExposure or ClientAccess since it is a derivative of Application. This is representing the possibility to connect to the RoutingFirewall itself (for administration purposes) from the Network.
Connecting a RoutingFirewall to a Network does not represent a router that is routing traffic to/from the Network. Such aspects are defined by the ConnectionRule objects connected to the Network.
Please see the ConnectionRule section for more information.
IDPS
An IDPS can be connected to a Network via NetworkExposure or ClientAccess like with RoutingFirewall as described above.
Connecting an IDPS to a Network does not represent NIDS functionality but instead administrative access to the IDPS solution.
Please see the paragraph "Network and NIDS functionality" under the IDPS section for more information.
ConnectionRule
A ConnectionRule can be connected to a Network using InNetworkConnection, OutNetworkConnection, NetworkConnection and DiodeNetworkConnection.
Please see the ConnectionRule section for more information.
Data
Connecting a Data object to a Network object (using DataInTransit) defines that the Data is traveling over the Network. For a traditional style unswitched network, like a hub, the Data is accessible if the attacker has access to the Network.
This is however dependent on if the Network object's defense property of EavesdropDefense is enabled or not or set to a probability.
For an unswitched Network, set the defense property EavesdropDefense of the Network to zero.
An other example of a Network where EavesdropDefense should not be enabled is wireless networks. In this case, all communication is possible to tap but the integrity is instead dependent on the quality (defense properties) of the Credentials object connected to the Data object representing the communication.
For WiFi communication, set the defense property EavesdropDefense of the Network to false and connect a Credential object to the Data object (representing the communication). The integrity of the communication is dependent on the defense properties of the Credential object.
Properties
AttackSteps
| Attack step name | Attack step purpose |
|---|---|
| Access | Being able to connect, and respond, to Applications connected via NetworkExposure and ClientAccess, respectively. |
| AccessNetworkData | Being able to access Data objects connected via DataInTransit. Prerequisite to Eavesdrop. |
| BypassAccessControl | If access control is enabled for the network, i.e. login required, this attack step is for bypassing that obstacle. |
| BypassEavesdropProtection | If EavesdropProtection, i.e. switching, is enabled, this attack step is for bypassing that. |
| BypassMitMProtection | If EavesdropProtection, i.e. IpSec/StaticArpTables/DNSSec, is enabled, this attack step is for bypassing such functionality. |
| DenialOfService | Denying the Network. |
| Eavesdrop | Listen to network traffic. |
| ManInTheMiddle | Redirecting communication between two endpoints without them noticing, giving the possibility to alter the communication content. |
| NetworkForwarding | Being able to access the Network via ConnectionRules. |
| PhysicalAccess | Gaining physical access to a location where the Network is present and connectable. |
Defenses
| Defense name | Defense purpose |
|---|---|
| EavesdropDefense | The network is configured to use Point-to-point communication. E.g. switching. For traditional non-switched hubs, WiFi and similar networks, set this defense to off. |
| ManInTheMiddleDefense | For instance; static ARP tables, IPSec, DNSSec. |
| NetworkAccessControl | Authentication (network login) is required to access the network. |
Updated about 1 year ago