Network objects in Security infrastructure products

Security policies are complicated. It consists of many rules. Rules typically contain IP address and Service information along with other information related to particular security function. Some security products only support creation of rules with immediate values for IP addresses and services. Thought it is not a problem during creation of rules, it could be a maintenance headache when it comes to modifications due to network changes. Also, it is difficult for new administrators to understand the rules. Good security products support creation of network objects and associate them to the rules. Admins need to modify only network objects if there is any change in the network. Since network objects are named, rules are readable and easy to debug and fix any problems.

Typical network objects are IP address objects and Service Objects.

IP Objects:
IP address objects name the hosts, subnets, range of hosts. For example, all networks in Engineering department can be grouped into one object. Each server can be represented by separate object with descriptive names.

Service Objects name different kinds of services. For example TCP port 80 can be named as 'http' service object.

IMO, IP object definition should take any type of IP address(es) - Subnet, Range, Single IP address, FQDN. It should also take multiple of these in one record. With this in mind, IP object definition can be represented as

• Virtual Instance ID ( See http://srini-addepalli.blogspot.com/2008/03/virtualization-and-zones-in-secuirty.html )
  
• Object name
• Object Description
• IP address Type - Whether this definition for single IP address, IP address range or Subnet
• Multiple IP definitions. With each definition having
• IP address ( if type is single IP address)
• IP address begin (if type is IP address range)
• IP address end (if type is IP address range)
• Network (If IP address is Subnet)
• network mask (If IP address is Subnet)

IPsec policy records when implemented with IKEv1 can't have FQDN as part of selectors. Due to this, IP address objects having FQDN can't be used to represent selectors. Many security software implementations have speciall IP address objects which take only FQDN. These type of IP address objects have following parameters:

• Virtual Instance ID
  
• Name
• Description
• Multiple IP definitions. With each definition having
• FQDN

First kind of IP objects are called IPValueObjects and second kind of IP objects are called IPFQDNObjects.

Service Objects
Service objects represent services. Each Service objects contains following attributes.

• Virtual Instance ID (See http://srini-addepalli.blogspot.com/2008/03/virtualization-and-zones-in-secuirty.html )
  
• Name
• Description
• Multiple definitions of Ports. Each definition having
• Protocol Begin (It takes values of protocol values such as UDP, TCP etc..)
  
• Protocol End
• Port Range Valid (YES or NO) : This is Not Applicable if Protocol range does not have either TCP or UDP)
  
• Port Begin (If TCP or UDP is present in protocol range)
  
• Port End (If TCP or UDP is present in protocol range).
• ICMP type Valid (YES or NO): This is not applicable if protocol range does not have ICMP.
  
• ICMP type begin
• ICMP type end
  
• ICMP Code Begin
  
• ICMP Code End

In addition to objects created by administrators, there could be objects that are created by other applications in the system. These objects are dynamic and can't be deleted by administrators. It is good to show them in UI though.

Based on above explanation, I tried to give possible TR-069 data model:

• internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects P
• internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.IPValueObject.{i} PC
• ObjectName : RW, String of 32 characters. Once the object is created, this can't be changed.
• Enable : 1 - Yes 0 - No
  
• Description: RW, string of 64 characters.
• IPAddressType: RW, Integer Value (Takes values 0 - single IP, 1 - IP address range, 2 - IP subnet )
  
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.IPValueObject.{i}.IPdefinition.{i} PC
• SingleIPValue: RW, String, IP address in dotted decimal. Applicable only if IPAddressType value is 0.
  
• IPRangeMinValue, IPRangeMaxValue: RW, String. Values are IP addresses in dotted decimal. Applicable only if IPAddressType is 1.
• IPSubnet, IPSubnetMask : RW, string. Values are IP addresses in dotted decimal. Applicable only if IPAddressType is 2.
• internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.DynIPValueObject.{i} P
• ObjectName : Read Only, String of 32 characters.
• Enable : 1 - Yes 0 - No Read Only
  
• Description: Read Only, string of 64 characters.
• IPAddressType: Read Only, Integer Value (Takes values 0 - single IP, 1 - IP address range, 2 - IP subnet )
  
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.DynIPValueObject.{i}.IPdefinition.{i} P
• SingleIPValue: Read Only, String, IP address in dotted decimal. Applicable only if IPAddressType value is 0.
  
• IPRangeMinValue, IPRangeMaxValue: Read Only, String. Values are IP addresses in dotted decimal. Applicable only if IPAddressType is 1.
• IPSubnet, IPSubnetMask : Read Only, string. Values are IP addresses in dotted decimal. Applicable only if IPAddressType is 2.
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.IPFQDNObject.{i} PC
• ObjectName : RW, String of 32 characters. Once the object is created, this can't be changed.
• Enable : 1- Yes 0 - No
  
• Description: RW, string of 64 characters.
• internetGatewayDevice.securityDomains.VirtualInstance.{i} .NetworkObjects.IPFQDNObject.{i}.IPdefinition.{i} PC
• IPFQDN: RW, string of max size 256.
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.DynIPFQDNObject.{i} P
• ObjectName : Read Only, String of 32 characters.
  
• Enable : 1- Yes 0 - No Read Only
  
• Description: Read Only, string of 64 characters.
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.DynIPFQDNObject.{i}.IPdefinition.{i} P
• IPFQDN: Read Only, string of max size 256.
• internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.ServiceObject.{i} PC
• ObjectName : RW, String (32 bytes). Can't be changed once the object is created with a value.
  
• ObjectDescription: RW, String (64bytes)
• Enable 1 - Yes 0 - No
  
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.ServiceObject.{i}.definition.{i}
• ProtocolRangeMin: RW, Integer (0-255).
  
• ProtocolRangeMax: RW, Integer (0-255)
• PortRangeValid: 1 - Yes 0 - No Also this is applicable only if TCP or UDP is present in the protocol range.
• PortRangeMin: RW, Integer (0-65535)
  
• PortRangeMax: RW, Integer (0-65535)
• ICMPRangeValid: 1 - yes 0 - No. Also this field is applicable only if protocol range has ICMP.
• ICMPTypeRangeMin: RW, Integer (0-255)
• ICMPTypeRangeMax: RW, Integer (0-255)
• ICMPCodeRangeMin: RW, Integer (0-255)
• ICMPCodeRangeMax: RW, Integer (0-255)
• internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.DynServiceObject.{i} P
• ObjectName : Read Only, String (32 bytes).
  
• ObjectDescription: Read Only, String (64 bytes)
• Enable 1 - Yes 0 - No Read Only
  
• internetGatewayDevice.security.VirtualInstance.{i} .NetworkObjects.DynServiceObject.{i}.definition.{i}
• ProtocolRangeMin: Read Only, Integer (0-255).
  
• ProtocolRangeMax: Read Only, Integer (0-255)
• PortRangeValid: 1 - Yes 0 - No Also this is applicable only if TCP or UDP is present in the protocol range. Read Only
  
• PortRangeMin: Read Only, Integer (0-65535)
  
• PortRangeMax: Read Only, Integer (0-65535)
• ICMPRangeValid: 1 - yes 0 - No. Read Only. Also this field is applicable only if protocol range has ICMP.
• ICMPTypeRangeMin: Read Only, Integer (0-255)
• ICMPTypeRangeMax: Read Only, Integer (0-255)
• ICMPCodeRangeMin: Read Only, Integer (0-255)
• ICMPCodeRangeMax: Read Only, Integer (0-255)