Data Network Asset Model Primer

Summary:

### Summary of Network Infrastructure Setup for POS Web Application #### 1. **Network Components:** - **Router:** Connects to the Internet. - **Firewall:** Routes traffic, controls access, and provides routing between networks. - **Public-facing DMZ (POS Webservers):** Through the Firewall. - **Internal-facing DMZ (green):** Connects to the internal network via the Firewall. - **Blue interface in the internal DMZ:** Facilitates communication between POS Webservers and Database Server. - **Management DMZ:** Routed gateway for management network access to all devices. - **Network:** Routed gateway from LAN to the Network. #### 2. **Assets:** - **POS Webservers:** Three servers. - **Database Server:** One server. #### 3. **Requirements:** - Define and link all assets with their IP addresses, specifically using the Firewall's gateway IPs for finance definition. - Perform Vulnerability scans: - Scan from LAN to POS External and Internal DMZ, then from Internet to both external and internal DMZ. - Scan from LAN and Internet to POS-DB Internal DMZ. - Scan Management DMZ from internet and LAN. - The scans should mimic access patterns for each network, allowing for a detailed threat landscape analysis based on the source of traffic (enhanced analytics). ### Security and Automation in IT Environment #### Enhancing Intrusion Detection Systems (IDS): - **Misconfigurations or Different Service Implementations:** IDS might incorrectly identify threats. Proper understanding should mitigate significant impacts if misidentified. - **Automated Asset Updates:** To improve ArcSight SIEM solution, ensuring accurate identification of attack sources and destination vulnerabilities. - **Access Controls:** Restrict access to POS applications and databases from the internet, allowing only authorized personnel through a management network. #### Integrating CMDB and IPAM Databases with IDS: - **Creating Comprehensive Asset Model:** Including TCP/UDP service inventory and vulnerability data. - **Implementation Phases:** Due to incomplete initial information, planned for phases to build a master repository for network management. #### McAfee Solutions for CMDB Gap: - **Categorizing Customers:** For support, classifying services like financial systems, payment card systems, and HR systems based on CIA values. - **Mapping IP Addresses:** Using DNS names, incorporating subnet information from IPAM and category details for CIA values. ### Process of Categorizing Zones in ArcSight Asset Database: - **Manual Updating of IPAM Database:** With specific categorizations like VPN DHCP ranges. - **Automation of Categorization:** Less labor-intensive compared to other alternatives, improving asset management through automation. ### Conclusion The network infrastructure setup and the outlined processes aim to enhance security, automate IT operations, and provide a detailed understanding of network traffic for better threat detection and response.

Details:

This document serves as a primer for ArcSight Professional Services, aiming to familiarize customers with various options available when defining a data model for ArcSight. It explains the importance of both the network and asset models within the context of an SIEM solution. The introduction highlights that well-planned data models offer significant benefits such as enhanced context in correlation, improved event schema and reporting capabilities. This is achieved by understanding what's being protected (business assets), the associated risks, enabling better reporting on residual risks, faster analytics based on security impacts, and providing situational awareness for network monitoring tailored to specific organizational processes and policies. ArcSight ESM is a software solution designed to help organizations manage compliance by providing clear views of risk associated with various standards such as PCI (Payment Card Industry), SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), and ISO 27001. It offers an open standard for customers to define the specific classification of their assets, which helps in assessing the criticality of assets over time. ArcSight ESM operates on a data model that facilitates the creation of business-oriented views from physical information systems. This includes network modelling to track devices involved in monitored traffic and provides detailed layers to enhance ArcSight's correlation capabilities for identifying events within the network. The network model is crucial for baseline configuration, requiring ongoing operational maintenance to ensure efficiency. The data model integrates both Network Model and Asset Model, illustrating possible relationships between them. The Network Model represents nodes on a network with specific characteristics and includes information about individual assets and whole zones relevant to assessing events. This approach helps in understanding the origin and destination of an event, such as whether it comes from a previous attacker or is from a trusted server that has suddenly become hostile. By capturing this information through asset modelling, ArcSight ESM can better evaluate the criticality of specific network elements like critical assets and zones. The text provides information on several key concepts in network modeling, specifically focusing on assets, customers, zones, networks, and asset ranges. Here's a summary of the important points: 1. **Assets**: These are individual nodes on a network such as servers, routers, and laptops. They are significant enough to be characterized with details that enhance correlation and reporting. Assets can be automatically created through devices discovered by a vulnerability scanner or device discovery tool. 2. **Asset Ranges**: This refers to a set of contiguous IP addresses that represent multiple network nodes. These ranges help in organizing the assets more efficiently. 3. **Zones**: Zones are portions of the network characterized by a contiguous block of addresses. They provide an additional level of distinction within the network structure. 4. **Networks**: Networks differentiate between two private address spaces with overlapping IP address ranges, providing a higher level of organization and clarity in managing network resources. 5. **Customers**: Customers describe internal or external cost centers or separate business units associated with networks. This tagging helps to keep event traffic from different entities separated for better management. A customer can be thought of as the "owner" of an event rather than just a source or target, which aids in more specific reporting and tracking. Overall, these concepts are crucial for understanding and managing network infrastructure effectively by providing detailed information about each asset and its relevance to business operations, allowing for better decision-making based on critical facts such as open ports, operating system details, known vulnerabilities, and the importance of applications to business processes. The article discusses the process of discovering and identifying assets using ArcSight SmartConnectors for network monitoring. It emphasizes the importance of considering various factors such as network-visible interfaces including routers, firewalls, web servers with IP or MAC addresses, and acknowledging that one physical device like a router can have multiple active network interfaces. The article also highlights the role of ArcSight ESM in managing assets through its asset aging function which tracks the last time an asset was scanned to reduce confidence if not updated within a configurable period. It then defines what constitutes an 'asset range' and how it helps manage larger groups of interconnected devices such as server VLANs or DMZs, simplifying tracking for practical purposes. Asset ranges are used when there is a need to track multiple network nodes that cannot be individually monitored due to their number (e.g., servers, desktops, laptops using DHCP). The article explains how SmartConnectors or ArcSight ESM identify log source endpoints as either individual assets or part of an asset range based on IP address block usage. Additionally, the concept of 'zones' is introduced, which are functional parts of a network with connected IP addresses (like DMZ, VPN, wireless LAN, and DHCP networks). Every asset or address range in these zones provides a reference to their corresponding zone within ArcSight configuration for better management and monitoring. The text discusses several aspects related to asset management and network security. Firstly, it highlights the importance of zones in managing assets, particularly for importing assets either via batch processes or from vulnerability scanners. Zones should be configured statically or dynamically based on DHCP settings, allowing for manual configuration of static assets within dynamic zones. Asset groups provide a hierarchical structure where properties assigned to an asset group apply to all associated assets. It is recommended to have zones in place before importing assets; otherwise, this would require manually assigning assets to zones or re-batching them. Asset ranges are used for controlling permissions through role-based access control and can be delegated responsibility for reporting on assets. The text also describes the asset model resources which include locations and vulnerabilities as part of the overall network modeling process. Vulnerabilities in your network are typically discovered and updated by scanners, with manual changes often associated with Knowledge Base articles. Locations within the system map IP addresses to owning bodies, allowing for adjustments such as physical location details or corrections to the default database mappings. This text discusses several key aspects of managing and classifying assets in ArcSight, focusing on asset categories and groups. Firstly, location information can be set for an asset if it is located in a different geographic area compared to the mapping database's association with IP addresses. This highlights the flexibility required in defining where each asset resides within the network architecture. Asset categories serve as descriptors of assets based on their usage and functions. These are essential for adding specificity, relevance, and context to vast amounts of data flowing through a network. By establishing classification, identity, ownership, and criticality, these categories provide structure to the diverse information being processed. Each category contains specific properties defined under broader system asset categories like Criticality, where members define possible values for that property. These categories can be assigned directly to assets or inherited from higher-level structures such as ranges or groups. For instance, if an asset falls within a range, it automatically inherits the categories assigned to that range. Conversely, Asset Groups are collections of one or more assets which share common properties set at the group level; these properties cascade down to all contained assets and ranges. Lastly, while asset categories can be applied directly to zones for network traffic categorization, this does not imply a direct relationship between category definitions and specific assets within those networks. This is particularly relevant for dynamic or transient environments like wireless or VPN networks where the set of connected devices may vary over time. The passage discusses implementing a data model for use with HP's ArcSight solution, detailing three main options for creating and managing zones, assets, and asset ranges: manually, through the Network Modelling Tool (using CSV files), and by utilizing the Asset Import Connector. 1. **Manual Option**: This method involves creating Zones, Assets, and Asset Ranges manually within the ArcSight console. It is particularly useful for fine-tuning or enhancing existing configurations but may not scale well for large deployments due to its manual nature. 2. **Network Modelling Tool**: This approach requires importing three CSV files into the ArcSight console via a network model wizard, which populates the network and asset model with structured information. It offers several advantages such as simplicity in defining a network model, providing a controlled way for consolidating necessary data, and enabling incremental updates to Zones, Assets, or Asset Ranges. However, it necessitates converting data into specific CSV formats and relies on a manual GUI/wizard for importation. 3. **Asset Import Connector**: HP ArcSight offers this option as well, which uses the SmartConnector feature to facilitate importing of network models directly from various sources such as Active Directory, LDAP, or other systems that support standard connectors. This method is designed to be more automated and can handle larger deployments efficiently compared to manual methods. Each method has its pros and cons, and the choice depends on specific requirements, deployment size, and ease of use preferences. The passage emphasizes that a combination of these options is often used to build an integrated model without recreating existing data in large enterprises. The text describes two methods for importing and managing assets in HP ArcSight, along with their respective pros and cons: 1. **Asset Import Connector**: This method allows for automated import of assets using a CSV format template. However, it does not support the import of network zones or asset ranges. Additionally, data must be modeled into this specific CSV format, although there is flexibility in mapping company-specific data to meet the required format. 2. **Vulnerability Scanner / Network Scanner**: This option leverages vulnerability scanners and network scanners for asset population by using results from their scan data. HP offers SmartConnectors that facilitate automatic or manual import of scan data from various vendors' software and network scanners into ArcSight. The advantages include leveraging common tools in enterprise networks, providing valuable vulnerability information, and offering details on TCP/UDP services. However, the cons are that they mainly provide asset information without supporting modeling for zones or ranges, and undefined assets may require manual configuration until assigned to appropriate categories. 3. **Auto Asset Creation using SmartConnectors**: This method utilizes ArcSight SmartConnectors to automatically create assets when new IP addresses are detected as log sources. The pros include providing an additional means of asset creation for such devices. The text is about using ArcSight, a software for security analytics and SIEM (Security Information and Event Management), and it gives advice on how to set up data models. It says that Zones should be created in ArcSight as a foundation dataset, so you can use other tools with them. Networks should be made manually if the organization has overlapping IP address subnets. The main goal is to make a manageable data model that fits your security needs and helps with event enrichment and correlation rules. Sometimes assets (like computers or servers) are seen as separate things even if they're connected, because each IP address is treated individually by ArcSight. This might happen in large organizations where there are many devices. The text also suggests working with a professional services team from HP to develop an asset model strategy that fits your needs and helps you get the most out of the ArcSight solution. When defining the Data Model requirements and success criteria for implementing a network model, it's crucial to consider a contextual scenario that helps set objectives. In this case, the example provided outlines a corporate network environment with various elements such as Wide Area Network (WAN), Datacentre 1 and 2 Local Area Networks (LAN), satellite sales branches, head offices in the UK and the US, DHCP service for desktops, printer network, guest wireless network services, and more. Based on this scenario, several objectives are outlined: Objective 1: Create Zones within ArcSight to represent all major network hubs. These include IP address ranges from the subsidiary company, head office in the UK, head office in the US, DataCentre 2, DataCentre 1, and satellite sales branches' WAN. If there are overlapping IP addresses between any two zones, corresponding networks should be created in ArcSight to ensure clarity and specificity. This approach aims to provide a foundation for information by either manually or automatically creating assets using tools like SmartConnectors or vulnerability scanning data. There is also an expectation for automated Zone updates to be utilized within ArcSight, following HP's standard documented methods. This involves setting up different types of networks (like DMZ, Remote Access VPN, etc.) within DataCentre 1 and 2, and categorizing them based on their function. For example, some subnets are categorized as "DMZ" with static IP addresses or "Remote Access Client VPN" with DHCP addressing. There is also a need to define NAT settings for certain VPN subnets. In Head Office US, there are specific network setups:

• Wireless networks and desktop networks use DHCP addressing.

• Printer networks have their own VLAN.

• Management networks are part of a Virtual Routing and Forwarding (VRF) setup.

Subsidiary companies in Sales Satellite Branches and the UK Head Office are not included in this scope, so no asset ranges need to be defined for them. The main focus is on categorizing assets within the specified hubs and understanding their network roles through these categories. The information aims to provide additional advantages and risk context for each individual asset, which also allows for enhanced analytics to identify the source and destination addresses for events. To achieve this, HP Professional Services can offer non-standard options for automated asset range updates to ArcSight from HP. The objective is to include all individual assets in finance applications and public facing infrastructure, with specific goals within the first 6 months of project implementation: having valid vulnerability data and defined TCP/UDP services for these applications and infrastructure. Additionally, it outlines several Event of Interest use cases including network communications originating from DMZ not initiating connectivity into Datacentres or further networks, and restrictions on communications based on IP addresses (excluding B2B VPN) to public facing infrastructure only. For specific devices like printers and servers, policies cover default username usage for access and management network origin. All assets defined as finance-related must be considered in these objectives. The summary provides an overview of a network infrastructure setup for a point-of-sale (POS) web application, including its components and their interconnections. Key points from the text include: 1. **Network Components**:

• A Router connects to the Internet.

• The Router routes traffic to a Firewall.

• The Firewall controls access and provides routing between networks:

• Routed gateway from Router to Firewall.

• Public-facing DMZ for POS Webservers through the Firewall.

• Internal-facing DMZ (green) connects to the internal network via the Firewall.

• Blue interface in the internal DMZ facilitates communication between POS Webservers and Database Server.

• Management DMZ with a routed gateway for management network access to all devices.

• Routed gateway from LAN to the Network.

2. **Assets**:

• Three POS Webservers.

• One Database Server.

3. **Requirements**:

• Define and link all assets with their IP addresses, specifically using the Firewall's gateway IPs for finance definition.

• Perform a Vulnerability scan:

• Scan from LAN to POS External and Internal DMZ, then from Internet to both external and internal DMZ.

• Scan from LAN and Internet to POS-DB Internal DMZ.

• Scan Management DMZ from internet and LAN.

• The scans should mimic access patterns for each network, allowing for a detailed threat landscape analysis based on the source of traffic (enhanced analytics).

This setup aims to ensure comprehensive security and network understanding through detailed asset definition and vulnerability scanning across various network segments. The text discusses several aspects related to network security and automation in an IT environment. It primarily focuses on enhancing the capabilities of Intrusion Detection Systems (IDS) for detecting and prioritizing incidents based on accurate identification of attack sources and destination vulnerabilities, specifically concerning TCP/UDP services like Windows Internet Information Server (IIS) and Apache web servers. The text outlines scenarios where an IDS might incorrectly identify threats due to misconfigurations or different service implementations, which should not significantly impact the severity of an incident if properly understood. It also emphasizes the need for automated asset updates to improve the ArcSight SIEM solution and suggests implementing strict access controls on POS applications and databases from the internet, restricting such access only to authorized personnel through a management network. Additionally, it provides details about integrating existing CMDB (Configuration Management Database) and IPAM (IP Address Management) databases with the IDS system for creating a comprehensive asset model that includes TCP/UDP service inventory and vulnerability data. This approach is intended to be implemented in phases due to incomplete initial information. The objectives include using these databases as master repositories for network management, defining clear roles and access controls, and establishing baseline network flow criteria for detecting anomalies. The text discusses implementing McAfee solutions to address gaps in a customer's CMDB, particularly concerning network and asset management. The goal is to categorize customers for support, classify services like financial systems, payment card systems, and HR systems based on confidentiality, integrity, and availability (CIA) values, and map IP addresses using DNS names. To achieve this, HP Professional Service will integrate the CMDB: 1. Enriching data with IP address information to be used by ArcSight for better asset management. This involves editing server properties in ArcSight to automatically create an Asset Name based on the hostname. 2. Creating a specific ArcSight Asset Database that consolidates missing data from various sources, including CMDB and DNS. This database uses hostnames as keys to relate IP addresses from DNS, incorporating subnet information from IPAM and category details for CIA values. 3. The final step is transforming this data into an XML export format known as the ArcSight Archive Bundle (ARB), which will be used in the asset management process. This document outlines a process for categorizing zones within an ArcSight asset database. The process involves manually updating the IP Address Management (IPAM) database with specific categorizations, such as VPN DHCP ranges, which will then be inherited by assets in the system. This method is considered less labor-intensive compared to other alternatives and allows for automation of the categorization process. Additionally, vulnerability data will be imported into each asset using its IP address and a key index. The diagram provided represents the created ArcSight Asset Database.