Network Hierarchy
JSA uses the network hierarchy objects and groups to view network activity and monitor groups or services in your network.
When you develop your network hierarchy, consider the most effective method for viewing network activity. The network hierarchy does not need to resemble the physical deployment of your network. JSA supports any network hierarchy that can be defined by a range of IP addresses. You can base your network on many different variables, including geographical or business units.
Guidelines for Defining Your Network Hierarchy
Building a network hierarchy in JSA is an essential first step in configuring your deployment. Without a well configured network hierarchy, JSA cannot determine flow directions, build a reliable asset database, or benefit from useful building blocks in rules.
Consider the following guidelines when you define your network hierarchy:
Organize your systems and networks by role or similar traffic patterns.
For example, you might organize your network to include groups for mail servers, departmental users, labs, or development teams. Using this organization, you can differentiate network behavior and enforce behaviour-based network management security policies. However, do not group a server that has unique behavior with other servers on your network. Placing a unique server alone provides the server greater visibility in JSA, and makes it easier to create specific security policies for the server.
Place servers with high volumes of traffic, such as mail servers, at the top of the group. This hierarchy provides you with a visual representation when a discrepancy occurs.
-
Avoid having too many elements at the root level.
Large numbers of root level elements can cause the Network hierarchy page to take a long time to load.
Do not configure a network group with more than 15 objects.
Large network groups can cause difficulty when you view detailed information for each object. If your deployment processes more than 600,000 flows, consider creating multiple top-level groups.
Conserve disk space by combining multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network group.
For example, add key servers as individual objects, and group other major but related servers into multi-CIDR objects.
Table 1: Example Of Multiple CIDRs and Subnets in a Single Network Group Group
Description
IP addresses
1
Marketing
10.10.5.0/24
2
Sales
10.10.8.0/21
3
Database Cluster
10.10.1.3/32
10.10.1.4/32
10.10.1.5/32
Define an all-encompassing group so that when you define new networks, the appropriate policies and behavior monitors are applied.
In the following example, if you add an HR department network, such as 10.10.50.0/24, to the Cleveland group, the traffic displays as Cleveland-based and any rules you apply to the Cleveland group are applied by default.
Table 2: Example Of an All-encompassing Group Group
Subgroup
IP address
Cleveland
Cleveland miscellaneous
10.10.0.0/16
Cleveland
Cleveland Sales
10.10.8.0/21
Cleveland
Cleveland Marketing
10.10.1.0/24
In a domain-enabled environment, ensure that each IP address is assigned to the appropriate domain.
Acceptable CIDR Values
JSA accepts specific CIDR values.
The following table provides a list of the CIDR values that JSA accepts:
CIDR Length |
Mask |
Number of Networks |
Hosts |
|---|---|---|---|
/1 |
128.0.0.0 |
128 A |
2,147,483,392 |
/2 |
192.0.0.0 |
64 A |
1,073,741,696 |
/3 |
224.0.0.0 |
32 A |
536,870,848 |
/4 |
240.0.0.0 |
16 A |
268,435,424 |
/5 |
248.0.0.0 |
8 A |
134,217,712 |
/6 |
252.0.0.0 |
4 A |
67,108,856 |
/7 |
254.0.0.0 |
2 A |
33,554,428 |
/8 |
255.0.0.0 |
1 A |
16,777,214 |
/9 |
255.128.0.0 |
128 B |
8,388,352 |
/10 |
255.192.0.0 |
64 B |
4,194,176 |
/11 |
255.224.0.0 |
32 B |
2,097,088 |
/12 |
255.240.0.0 |
16 B |
1,048,544 |
/13 |
255.248.0.0 |
8 B |
524,272 |
/14 |
255.252.0.0 |
4 B |
262,136 |
/15 |
255.254.0.0 |
2 B |
131,068 |
/16 |
255.255.0.0 |
1 B |
65,534 |
/17 |
255.255.128.0 |
128 C |
32,512 |
/18 |
255.255.192.0 |
64 C |
16,256 |
/19 |
255.255.224.0 |
32 C |
8,128 |
/20 |
255.255.240.0 |
16 C |
4,064 |
/21 |
255.255.248.0 |
8 C |
2,032 |
/22 |
255.255.252.0 |
4 C |
1,016 |
/23 |
255.255.254.0 |
2 C |
508 |
/24 |
255.255.255.0 |
1 C |
254 |
/25 |
255.255.255.128 |
2 subnets |
124 |
/26 |
255.255.255.192 |
4 subnets |
62 |
/27 |
255.255.255.224 |
8 subnets |
30 |
/28 |
255.255.255.240 |
16 subnets |
14 |
/29 |
255.255.255.248 |
32 subnets |
6 |
/30 |
255.255.255.252 |
64 subnets |
2 |
/31 |
255.255.255.254 |
none |
none |
/32 |
255.255.255.255 |
1/256 C |
1 |
For example, a network is called a supernet when the prefix boundary contains fewer bits than the natural (or classful) mask of the network. A network is called a subnet when the prefix boundary contains more bits than the natural mask of the network:
209.60.128.0 is a class C network address with a mask of /24.
209.60.128.0 /22 is a supernet that yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
192.0.0.0 /25
Subnet Host Range
0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Defining Your Network Hierarchy
A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.
Network objects are containers for Classless Inter-Domain Routing (CIDR) addresses. Any IP address that is defined by a CIDR range in the network hierarchy is considered to be a local address. Any IP address that is not defined in a CIDR range in the network hierarchy is considered to be in a remote address. A CIDR can belong only to one network object, but subsets of a CIDR range can belong to another network object. Network traffic matches the most exact CIDR. A network object can have multiple CIDR ranges assigned to it.
Some of the default building blocks and rules in JSA use the default network hierarchy objects. Before you change a default network hierarchy object, search the rules and building blocks to understand how the object is used and which rules and building blocks might need adjustments after you modify the object. It is important to keep the network hierarchy, rules, and building blocks up to date to prevent false offenses.
On the navigation menu (
), click Admin.In the System Configuration section, click Network Hierarchy.
From the menu tree on the Network Views window, select the area of the network in which you want to work.
To add network objects, click Add and complete the following fields:
Table 4: Add Network Objects Option
Description
Name
The unique name of the network object.
Note:You can use periods in network object names to define network object hierarchies. For example, if you enter the object name D.E.F, you create a three-tier hierarchy with E as a subnode of D, and F as a subnode of E.
Group
The network group in which to add the network object. Select from the Group list, or click Add a New Group.
Note:When you add a network group, you can use periods in network group names to define network group hierarchies. For example, if you enter the group name A.B.C, you create a three-tier hierarchy with B as a subnode of A, and C as a subnode of B.
IP/CIDR(s)
Type an IP address or CIDR range for the network object, and click Add. You can add multiple IP addresses and CIDR ranges.
Description
A description of the network object.
Country / Region
The country or region in which the network object is located.
Longitude and Latitude
The geographic location (longitude and latitude) of the network object. These fields are co-dependent.
Click Create.
Repeat the steps to add more network objects, or click Edit or Delete to work with existing network objects.