The Network Model
The network model is a representation of the nodes on your network and certain characteristics of the network itself.
Before you can make an informed decision about what to do about a particular event, it helps to know something about the event's source and destination. Is the source a previous attacker, does it come from a hostile region of the world, or is it a trusted server that has become the source of an attack? Does the destination host critical applications, or is it a known server of forbidden services?
This kind of information is captured by modeling the assets on your network and particular pertinent attributes of the network. The network model represents information for individual assets and whole zones. For critical assets on the protected network, network modeling captures important facts that help inform your decisions, such as:
-
All open ports
-
The operating system running on that host
-
Known vulnerabilities that might be exposed
-
Applications present
-
The missions these applications support and their criticality to your operation
For less critical assets, such as a block of addresses on the Internet, it may be sufficient to know general information about them, such as the country in which those assets reside.
The Network Model consists of the following resources. All of these resources, except Customers, are part of the Assets resource.
-
Assets represent individual nodes on the network, such as servers, routers, and laptops.
-
Asset Ranges represent a set of network nodes addressable as a contiguous block of IP addresses.
-
Zones represent portions of the network itself that are characterized by a contiguous block of addresses.
-
Networks provide an additional distinction to differentiate between two private address spaces with overlapping IP address ranges.
-
Customers describe the internal or external cost centers or separate business units associated with networks, if applicable to your business environment. Customer tagging is a feature developed mainly to support Managed Security Service Provider (MSSP) environments, although it can also be used by private organizations to denote cost centers, internal groups, or subdivisions. The Customer designation keeps event traffic from multiple cost centers or business units separately identified. Think of a customer as the "owner" of an event, rather than the source or target of an event.