JSA uses the network hierarchy objects and groups to view network activity and monitor groups or services in your network.
When you develop your network hierarchy, consider the most effective method for viewing network activity. The network hierarchy does not need to resemble the physical deployment of your network. JSA supports any network hierarchy that can be defined by a range of IP addresses. You can base your network on many different variables, including geographical or business units.
Guidelines for Defining Your Network Hierarchy
Building a network hierarchy in JSA is an essential first step in configuring your deployment. Without a well configured network hierarchy, JSA cannot determine flow directions, build a reliable asset database, or benefit from useful building blocks in rules.
Consider the following guidelines when you define your network hierarchy:
Organize your systems and networks by role or similar traffic patterns.
For example, you might organize your network to include groups for mail servers, departmental users, labs, or development teams. Using this organization, you can differentiate network behavior and enforce behaviour-based network management security policies. However, do not group a server that has unique behavior with other servers on your network. Placing a unique server alone provides the server greater visibility in JSA, and makes it easier to create specific security policies for the server.
Place servers with high volumes of traffic, such as mail servers, at the top of the group. This hierarchy provides you with a visual representation when a discrepancy occurs.
Do not configure a network group with more than 15 objects.
Large network groups can cause difficulty when you view detailed information for each object. If your deployment processes more than 600,000 flows, consider creating multiple top-level groups.
Conserve disk space by combining multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network group.
For example, add key servers as individual objects, and group other major but related servers into multi-CIDR objects.
Table 1: Example Of Multiple CIDRs and Subnets in a Single Network Group
Define an all-encompassing group so that when you define new networks, the appropriate policies and behavior monitors are applied.
In the following example, if you add an HR department network, such as 10.10.50.0/24, to the Cleveland group, the traffic displays as Cleveland-based and any rules you apply to the Cleveland group are applied by default.
Table 2: Example Of an All-encompassing Group
In a domain-enabled environment, ensure that each IP address is assigned to the appropriate domain.
Acceptable CIDR Values
JSA accepts specific CIDR values.
The following table provides a list of the CIDR values that JSA accepts:
Table 3: Acceptable CIDR Values
Number of Networks
For example, a network is called a supernet when the prefix boundary contains fewer bits than the natural (or classful) mask of the network. A network is called a subnet when the prefix boundary contains more bits than the natural mask of the network:
22.214.171.124 is a class C network address with a mask of /24.
126.96.36.199 /22 is a supernet that yields:
Subnet Host Range
Subnet Host Range
0 192.0.0.1 - 188.8.131.52
1 184.108.40.206 - 220.127.116.11
2 18.104.22.168 - 22.214.171.124
3 126.96.36.199 - 188.8.131.52
Subnet Host Range
0 192.0.0.1 - 184.108.40.206
1 220.127.116.11 - 18.104.22.168
2 22.214.171.124 - 126.96.36.199
3 188.8.131.52 - 184.108.40.206
4 220.127.116.11 - 18.104.22.168
5 22.214.171.124 - 126.96.36.199
6 188.8.131.52 - 184.108.40.206
7 220.127.116.11 - 18.104.22.168
Defining Your Network Hierarchy
A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.
Network objects are a container for CIDR addresses. Any IP address that is covered by a CIDR range in the network hierarchy is considered a local address. Any IP address that is not defined in a network objects CIDR range is considered a remote IP address. A CIDR can belong only to one network object, however subsets of a CIDR range can belong to another network object. Network traffic matches the most exact CIDR. A network object can have multiple CIDR ranges assigned to it.
Some of the default building blocks and rules in JSA use the default network hierarchy objects. Before you change a default network hierarchy object, search the rules and building blocks to understand how the object is used and which rules and building blocks might need adjustments after you modify the object. It is important to keep the network hierarchy, rules, and building blocks up to date to prevent false offenses.
- On the navigation menu (), click Admin to open the admin tab.
- In the System Configuration section, click Network Hierarchy.
- From the menu tree on the Network Views window, select the area of the network in which you want to work.
- To add network objects, follow these steps:
Click Add and type a unique name and description for the object.
From the Group list, select the group in which you want to add the new network object.
To add a group, click the icon beside the Group list and type a name for the group.
Type a CIDR range for this object and click Add.
Repeat the steps for all network objects.
- Click Edit or Delete to work with existing network objects.