One of the unique features of Skybox, and the basis for what we do, is our network model. A network model is often confused with a network map. A network map is a two-dimensional representation of the network. The difference between a model and a map comes down to how well it emulates and represents the network.
The Network Model
The concept of modeling has been around for some time and has been used to address some very complex problems. Flight simulation, weather prediction and viral infection simulations are all solutions to difficult problems based on modeling. The basis for those solutions was to create a model (of an airplane, the earth, the human body) and then apply different “what-if” scenarios to the model. An accurate model will correctly predict the outcome of the scenario, delivering the same result that would occur if that scenario played out in real life.
In IT security, a network map is just a picture of boxes (representing network devices) connected with lines. When you try to use a map to solve problems, you’re are quickly faced with the need to make assumptions, or augment the map with information from other sources. When simply picking two points on a network map and asking, “Could a packet with a destination port of 80 make it from here to there?” you would need to understand whether each box along the path would forward or deny the packet and, if it was forwarded, which interface it would be forwarded to.
A network model understands the rules of each “box” and how it makes those forwarding decisions. This information comes in the form of rules: routing rules, access control rules, and network/port translation rules. The model must be able to simulate each device on the network and accurately treat a theoretical packet the same way the physical network would treat a real packet.
How Skybox Leverages the Network Model
More than 10 years ago, Skybox pioneered work in network modeling for the purpose of bringing context to vulnerability data in large organizations. Our original goal was to model the network to determine the exposure of vulnerabilities to the Internet and other parts of the network that might represent a threat origin. Over the last decade, Skybox has perfected the network model by adding support for all the crazy stuff that can exist in networks today–transparent firewalls, asynchronous routing, multiple layers of address translation and port translation, dynamic routing, mpls clouds, vpns, etc. The result is an interactive network model that can accurately be used for a variety of purposes. Skybox customers use this model to answer questions such as:
- Does my network allow more access than is described in my company’s security policy or a specific regulation?
- If a host on network X were compromised, what systems could it reach, either directly or via pivot/stair-step attacks?
- What kind of risk is associated with making this specific change to a firewall? What vulnerabilities will be exposed? What policies would be violated?
- How bad is it that I have a specific vulnerability on a specific host? Given my “defense in depth” with firewalls and IPS, how likely is it that this vulnerability could be exploited?
- If I de-provision a specific rule on a firewall, what will the effect be? Will any of my applications stop working?
- How can my SIEM understand which hosts are at the highest risk given constant changes in the network and ongoing vulnerability discovery?
- Is there was a way to interact with the collection of multi-vendor networking devices that make up my network on a single screen?
- I have 100s of thousands of vulnerabilities on my network—which ones are truly causing risk to my organization?
Skybox network modeling is designed with these types of contextually-aware questions in mind. Network modeling, unlike network mapping, understands the complexity of contemporary network architecture, access, and interaction.