Matching Network Paths to Named Networks
Question
The Xshield security platform received network path information from the assets. How is the source (Inbound) or destination (Outbound) IP address mapped to Named Networks.
Answer
When the Xshield security platform receives network path information from an Xshield agent, it attempts to map the path to a Named Network associated with the reporting asset. This mapping is based on the IP address of the other device communicating with the reporting asset.
This approach enables a single representation of the communication channel between the asset and the devices within the matched Named Network for a given port and protocol. It supports high scalability—especially when Named Networks contain a large number of IP addresses—and simplifies policy creation. Additionally, communication visualization becomes more intuitive and easier to validate, as it displays a single line between the asset and other devices, rather than multiple lines for each IP.
Named Network Assignment to Assets
When an asset is registered with the Xshield platform, operators assign one or more Named Networks to it through configuration. This assignment constrains the mapping of reported paths to only those Named Networks, optimizing lookup performance.
Operators can assign Named Networks to an asset in two ways:
- Template Assignment
- Widget Assignment
Template Assignment
The Xshield security platform allows users to define a policy template that can be attached to an asset directly or via a segment to which the asset belongs. The template defines inbound and outbound rules based on port, protocol, and Named Network. When a template is assigned to an asset, all Named Networks defined within the template are also associated with that asset. Any path information reported by the asset will be matched against these Named Networks, along with the specified port and protocol in the template.
Widget Assignment
Alternatively, users can assign a Named Network to an asset using the Named Network Assign Widget. This method only associates a Named Network (by IP), without considering port or protocol. As a result, incoming path information is matched solely against the IP addresses in the assigned Named Networks.
Path-to-Named Network Mapping
The Xshield platform uses the following algorithm, in order, to determine the best-matching Named Network for each reported path:
- Source Priority
- Named Network with Fewer IP Addresses
Source Priority
The platform searches for the IP address from the reported path within the asset’s associated Named Networks. This may yield multiple matches. To resolve conflicts, the system uses the following prioritization:
- If all matching Named Networks were template-assigned, select the best match from among them.
- If all were widget-assigned, select the best match from among them.
- If both types are present, prioritize the best match from the template-assigned networks, as they provide finer granularity by including port and protocol in the match.
Protocol & Port Matching Behavior
| Assignment Method | Applies When | Match Criteria |
|---|---|---|
| Template Assignment | Narrow scope | IP + Port + Protocol must match |
| Widget Assignment | Broad scope | IP must match; port and protocol are not considered |
Named Network with Fewer IP Addresses
If multiple Named Networks result in an equal best match, the tie-breaker is the one with fewer IP addresses. This favors more specific networks.
TBD: Additional Clarification Needed
- Is a subnet counted as one entry or by the total number of IPs it contains?
- Are non-matching subnets within a Named Network considered in the IP count?
- Clarify the definition of "more specific" versus "minimum IPs."
Examples
| Path IP | Port | Protocol | Matching Networks | Final Selection |
|---|---|---|---|---|
| 10.0.0.5 | 443 | TCP | Template-NN (3 IPs), Widget-NN (2 IPs) | Template-NN (template takes priority) |
| 10.0.0.5 | 443 | UDP | Widget-NN-A (5 IPs), Widget-NN-B (2 IPs) | Widget-NN-B (fewer IPs) |
| 10.0.0.5 | 80 | TCP | Template-NN-A (10 IPs), Template-NN-B (3 IPs) | Template-NN-B (fewer IPs) |
Summary
Mapping reported paths to Named Networks provides a powerful abstraction that simplifies micro-segmentation without sacrificing policy granularity. It enables scalable communication modeling, streamlined policy management, and more intuitive visualization.