Package NetworkConnectivity

URI: NetworkConnectivity

Description: Model of network routing and network paths.

R-DDoH

Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated gateway and target network interfaces.

R-GHRS

Finds a gateway providing a radio subnet to which a host is connected.

R-GHRSi

Finds a gateway providing a radio subnet to which a host is connected, where the radio subnet implements itself (i.e. it is not the local realisation of a hotspot or cellular network).

R-GHWS

Finds a gateway providing a wired subnet to which a host is connected.

R-HIoH

Finds a Host connected to the Internet, and the associated network Interface.

R-HLoH

Finds a Host connected to a Layer 2 Logical Subnet, and the associated network Interface, and a second, remote host on the same subnet.

R-HRoH

Finds a Host connected to a Layer 3 Logical Subnet, and the associated network Interface, and a second, remote host on the same subnet.

R-HRSGS

Finds a host connecting to a radio subnet implementing an (abstract) hotspot or cellular network, and a gateway host located in a space that is providing the network.

R-HSRS

Finds a host located in a space connecting to a radio subnet implementing an (abstract) hotspot or cellular network.

R-HSWS

Finds a host located in a space connecting to a wired subnet.

R-HWSGS

Finds a client host connecting to a wired network, and a gateway host located in a space that is providing the network.

R-I

Finds an Interface.

R-ILSA

Finds an Interface connecting to a Logical Subnet that implements an Abstract Subnet.

R-INC

Finds a solo Interface, plus the associated host, subnet, and a host network access context where the interface is connected.

R-IoH

Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated network interface and access context.

R-L3cGcL3

Finds a Host connected from an IP subnet to an IP subnet, both in the same space.

R-L3cGrL3

Finds a Host connected from an IP subnet to an IP subnet that it provides, both in the same space.

R-L3rGcL3

Finds a Host connected from an IP subnet to an IP subnet, the former being provided by the Host, and both in the same space.

R-L3rGrL3

Finds a Host providing two IP subnets, both in the same space.

R-L3SSg2

Finds a gateway from one IP subnet to an IP subnet, along with the segment asset representing the route via the gateway.

R-L3SSg2+b

Finds a gateway from one IP subnet to a second IP subnet, along with the segment asset representing the route via the gateway, where this route is blocked by default.

R-L3SSg2AC

Finds a gateway from one IP subnet to an IP subnet, along with the segment asset representing the route via the gateway, and a context in which the gateway is connected to both subnets.

R-LoH

Detects a Host in a context where it is connected to a Layer 2 Logical Subnet, and the associated network interface.

R-LPLS2NSg2

Finds a route between subnets through a gateway where NAT is used on the return path, and a logical path traversing the forward segment.

R-LPsLS

Finds a Logical Subnet at the start of a Logical Path.

R-NoH

Finds an open network path from a remote attacker subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context.

R-NP

Finds a network path (which may or may not be physical).

R-NPLS

Finds a network path that starts and ends on the same logical subnet.

R-RIoH

Finds an open network path to the Internet from a Host connected to a local subnet, and the associated network interface and access context.

R-RNoH

Finds an open network path to a remote attacker subnet from a Host connected to a local subnet, and the associated network interface and access context.

R-RoH

Finds an open network path from a remote attacker L3 subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context.

R-RScGcRS

Finds a Physical Host connected between two WiFi subnets, both in the same space.

R-Sg

Finds a logical segment between two subnets, plus the associated gateway host and its inbound and outbound interfaces.

R-SgAC

Finds a logical segment between two subnets, plus the associated gateway host, and a host location context where the segment is active.

R-SgHfILS

Finds a Logical Segment via a Host routing from a Logical Subnet, and the Interface between the Host and Logical Subnet.

R-SgHtILS

Finds a Logical Segment via a Host routing to a Logical Subnet, and the Interface between the Host and Logical Subnet.

R-WScMcWS

Finds a Mobile Host connected between two Wired LANs, both in the same space.

MP-DDoH

Change from: Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.

MP-GdHRS

Finds a gateway providing a radio subnet to which a distinct host is connected, and optionally a process controlling access to the radio subnet, which in this case implements an abstract network (hotspot or cellular network), i.e. there is an implements relationship to a distinct abstract subnet.

MP-GdHRSi

Finds a gateway providing a radio subnet to which a distinct host is connected, and optionally a process controlling access to the radio subnet, which in this case does not implement a separate abstract network (hotspot or cellular network), i.e. it has a self-referential implements relationship.

MP-GdHWS

Finds a gateway providing a wired subnet to which a distinct host is connected, and optionally a process controlling access to the subnet.

MP-HIoH

Finds a Host connected to the Internet, and the associated network Interface, plus optionally the host manager.

MP-HLoH

Finds a Host with optional system manager, connected to a Layer 2 Logical Subnet, and the associated network Interface, and a second, distinct host on the same subnet.

MP-HRoH

Finds a Host with optional system manager, connected to a Layer 3 Logical Subnet (but not the Internet), and the associated network Interface, and a second, remote host on the same subnet.

MP-HRSGSoS

Finds a host connecting to a radio subnet that is not an abstract hotspot, a gateway host located in a space that is providing the radio subnet, and optionally a service that controls access to the radio subnet.

MP-HSRSoGS

Finds a host located in a space connecting to a radio subnet that is not a hotspot, plus optionally the controlling host and service for the subnet.

MP-HSWSoGS

Finds a host located in a space connecting to a wired subnet it does not provide, plus optionally the host manager, and the gateway and service controlling the subnet.

MP-HWSGSoS

Finds a host connecting to a wired network it does not provide, a gateway host located in a space that is providing the network, and optionally the gateway host manager, and a service that controls access to the network.

MP-I

Finds a solo Interface, plus the associated host and subnet (which is not a hotspot) and optionally the host manager.

MP-ILSA

Finds an Interface connecting to a Logical Subnet that implements an Abstract Subnet that is not the same as the Logical Subnet.

MP-INC

Finds a solo Interface, plus the associated host, subnet, and a host network access context where the interface is connected.

MP-IoH

Finds an open network path from the Internet to (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.

MP-L3c-rGc-rL3

Finds a Host connected from an IP subnet to a second distinct IP subnet, both in the same space, where neither is a hotspot and neither is provided by the gateway.

MP-L3c-rGrL3

Finds a Host connected from an IP subnet it does not provide to a second, distinct IP subnet that is provided by the Host, both in the same space, where neither subnet is a hotspot.

MP-L3rGc-rL3

Finds a Host connected from an IP subnet it provides to a second, distinct IP subnet that it does not provide, both in the same space, where neither subnet is a hotspot.

MP-L3rGrL3

Finds a Host providing two distinct IP subnets both in the same space.

MP-L3SSg2

Finds a gateway from an IP subnet to a distinct IP subnet, along with the forward and (open) return path segments via the gateway.

MP-L3SSg2+b

Finds a gateway from one IP subnet to a second IP subnet, along with the segment asset representing the route via the gateway, where this route is blocked by default.

MP-L3SSg2AC

Finds a gateway from an IP subnet to a distinct IP subnet, along with the forward and (open) return path segments via the gateway, and a context in which the gateway is connected to both subnets.

MP-L3SSg2AC-b

Finds a gateway from one IP subnet to an IP subnet, along with the segment asset representing the route via the gateway, and a context in which the gateway is connected to both subnets, where this route is not blocked by default.

MP-L3SSg2-b

Finds a gateway from one IP subnet to a second IP subnet, along with the segment asset representing the route via the gateway, where this route is not blocked by default.

MP-LoH

Finds a Host in a context where it is connected to a Layer 2 Logical Subnet, and the associated network interface, plus all contexts where it is connected to the same subnet (there may be others), and optionally the host manager.

MP-LPLS2NSg2

Finds a route between subnets through a gateway where NAT is used on the return path, and a logical path traversing the forward segment.

MP-LPsLS

Finds a Logical Subnet at the start of a Logical Path.

MP-NoH

Finds an open network path not via the Internet from a remote attacker subnet to (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.

MP-NPLS

Finds a Network Path that starts and ends on the same subnet, i.e. it uses no gateways.

MP-NPmLSmSg

Finds a Network Path that traverses at least one Logical Segment, plus the Logical Subnet(s) it visits (in this pattern there should be more than one).

MP-RIoH

Finds an open network path to the Internet from (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.

MP-RNoH

Finds an open network path not via the Internet to a remote attacker subnet from (but not via) a Host connected to a local subnet, and the associated network interface and access context, plus the location contexts for the host being on that subnet, and optionally the host manager.

MP-RoH

Finds an open network path from a remote attacker L3 subnet to (and not via) a Host in a space connected to a local subnet, and the associated network interface, plus the contexts in which the host is so connected (there must be at least one), and optionally the host manager.

MP-RScGcRS

Finds a Physical Host connected between two distinct WiFi subnets, both in the same space.

MP-Sg

Finds a gateway host between two subnets, plus the logical segments representing routes between the subnets via this gateway.

MP-SgHfILS

Finds a Logical Segment via a Host routing from a Logical Subnet, and the Interface between the Host and Logical Subnet.

MP-SgHtILS

Finds a Logical Segment via a Host routing to a Logical Subnet, and the Interface between the Host and Logical Subnet.

MP-WScMcWS

Finds a Mobile Host connected between two distinct Wired LANs, both in the same space.

(empty)

H.E.RScGcRS.9

Device Gateway connected to multiple WiFi networks in space Space: usually, devices have only one WiFi interface, and so can only be connected to one WiFi from each space they could be in. Use a control to indicate if this device really does have the ability to use multiple simultaneous WiFi channels.

H.E.WScMcWS.9

Mobile device Gateway connected to multiple Wired LANs in space Space: usually, mobile devices do not have more than one Wired network interface, and so can only be connected to one network in each space. Use a control to indicate if this device really does have multiple wired NICs.

H.L.IoH.3

Remote user access from AttackerSubnet via LogicalSubnet to insecure device Host: an attacker with access to AttackerSubnet gains access to host Host via an unprotected service listening on LogicalSubnet .

H.L.NoH.3

H.M.IoH.3

Remote root access from AttackerSubnet via LogicalSubnet to insecure device Host: an attacker with access to AttackerSubnet gains access to host Host via an unprotected yet privileged service listening on LogicalSubnet .

H.M.NoH.3

H.M.RIoH.7

Remote root access from AttackerSubnet via LogicalSubnet to back door on device Host: an attacker with access to AttackerSubnet gains access to host Host via a previously installed back door providing a reverse shell via LogicalSubnet .

H.M.RNoH.7

I.A.GdHRS.6

Device Host unable to connect to radio subnet LogicalSubnet from Space: if access to network subnet LogicalSubnet is restricted, device Host will be unable to connect if it does not have the necessary credentials.

I.A.GdHRSi.6

Device Host unable to connect to radio subnet LogicalSubnet: if access to network subnet LogicalSubnet is restricted, device Host will be unable to connect if it does not have the necessary credentials.

I.A.GdHWS.6

Device Host unable to connect to wired subnet LogicalSubnet: if access to network subnet LogicalSubnet is restricted, device Host will be unable to connect if it does not have the necessary credentials.

I.A.I.0

Effect of overload at interface Interface: if the interface Interface is overloaded it may become unavailable.

I.A.I.6.1

Disabled network connection from Host to LogicalSubnet is not available: if host Host does not in fact connect to subnet LogicalSubnet then that connection will be unavailable.

I.Auth.HRSGSoS.3

Spoofing radio network LogicalSubnet at location Space of access point Gateway: at attacker with access to the location Space of radio networking device Gateway can physically spoof network LogicalSubnet by introducing their own radio network to impersonate the real one.

I.Auth.HSRSoGS.3

Spoofing radio network LogicalSubnet at location Space of supplicant Host: at attacker with access to the location Space of Host can physically spoof network LogicalSubnet by introducing their own radio base station to impersonate the real one.

I.Auth.HSWSoGS.3

Spoofing wired network LogicalSubnet at location Space of supplicant Host: at attacker with access to the location Space of a host Host can physically insert their own device between the host and its wired connection to LogicalSubnet.

I.Auth.HWSGSoS.3

Spoofing wired network LogicalSubnet at location Space of router Gateway: at attacker with access to the location Space of a wired router Gateway can physically insert their own device between the router and its wired connection to device Host.

I.DA.I.8

Access to Host from LogicalSubnet enabled: if the network connection between Host and LogicalSubnet is in service, then messages addressed to Host will be accepted via that connection, unless blocked by a firewall policy.

I.IS.I.8

Access from Host to LogicalSubnet enabled: if Host is in service, then it will connect to LogicalSubnet by default, unless the connection is disabled.

I.IS.INC.1

Access from Host to LogicalSubnet not disabled: if an attacker has admin rights on device Host when in range of LogicalSubnet, they can override a policy to avoid connecting to subnet LogicalSubnet.

I.M.I.8

Message traffic from LogicalSubnet via Host is unconstrained: if the interface between Host and LogicalSubnet is in service, then traffic that is not blocked will not be subject to any bandwidth limits unless controls are used to impose such limits.

I.O.DDoH.3

Remote DDoS attack from AttackerSubnet on Host connection to LogicalSubnet: an attacker able to orchestrate clients on subnet AttackerSubnet arranges for them to send too many messages to the network address of the target device Host on LogicalSubnet.

I.O.HIoH.3.1

Remote DoS attack from LogicalSubnet on Host: an attacker with access to subnet LogicalSubnet sends too many messages to the network address of the connected target device Host.

I.O.HIoH.3.2

Remote DDoS attack from LogicalSubnet on Host: an attacker able to orchestrate clients on subnet LogicalSubnet arranges for them to send too many messages to the network address of the connected target device Host.

I.O.IoH.3

Remote DoS attack from AttackerSubnet on Host connection to LogicalSubnet: an attacker with remote access to Layer 3 subnet LogicalSubnet sends too many messages to the network address of the target device Host on LogicalSubnet.

I.O.LoH.3

Adjacent DoS attack on Host from LogicalSubnet: an attacker with access to Layer 2 subnet LogicalSubnet sends too many messages to the hardware address of a target device Host connected to that subnet.

I.O.RoH.3

LS.C.WiFiSSoH.3

Passive snooping in WiFi subnet LogicalSubnet from Space: if an attacker has physical access to WiFi subnet LogicalSubnet from Space, they can passively snoop traffic unless the network is encrypted.

NP.DA.NPLS.8

Network path across LogicalSubnet enters service: the subnet LogicalSubnet being in service means messages can be sent across it.

NP.DA.NPmLSmSg.8

Network path from FromSubnet to ToSubnet enters service: if the logical subnets on this path are in service, and gateways do not block message routing between subnets, then messages can be sent on the end-to-end path.

Sg.A.L3SSg2.6.1

Connections between FromSubnet and ToSubnet via Gateway are disabled: if port forwarding is disabled by closing firewall tunnels at Gateway the route via Gateway between FromSubnet and ToSubnet will be unavailable to legitimate users.

Sg.A.Sg.0

Device Gateway unable to route from FromSubnet to ToSubnet: if device Gateway is not available, it will be unable to route messages from FromSubnet to ToSubnet.

Sg.DA.L3SSg2AC-b.1

Routing between FromSubnet and ToSubnet re-disabled at Gateway: if an attacker has admin rights on host Gateway in a context where it is connected to FromSubnet and ToSubnet, then they can override a default policy to drop connection being routed between those subnets.

Sg.DA.L3SSg2-b.8

Routing between FromSubnet and ToSubnet via Gateway is enabled by default: if this route between IP subnets is enabled for all communications, it could be exploited by an attacker.

Sg.IS.Sg.8

Routing from FromSubnet to ToSubnet via Gateway is in service: if device Gateway and subnets FromSubnet to ToSubnet are in service, then so is the route between the subnets provided by Gateway.

BandwidthUnmanaged	Signifies that bandwidth used by message flows through an interface cannot be restricted based on their source and/or destination addresses.
CommsSnoopable	Applies to a network or communication channel, signifying that messages in that network or channel can be intercepted and read via passive snooping or via a man-in-the-middle attack.
ConnectionsAllowed	Applies to a network communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets, signifying that by default, messages will be allowed to flow.
NetworkSpoofing	The connection from a device to a subnet is really with a spoofed subnet. This means a malicious party is routing between the device and the subnet with which it is supposed to be connected.

CSG-BlockGatewayRoute	Apply a default firewall rule at gateway host *Gateway* to drop messages sent via the gateway from *FromSubnet* to *ToSubnet*, unless they are service requests or responses.
CSG-BlockInterface	Apply a default firewall rule at host *Host* to drop messages sent to the host from subnet *LogicalSubnet*, unless they are service requests or responses.
CSG-BWManagementAtInterface	Limit the bandwidth for each remote source of communication destined for the network address of *Host* on *LogicalSubnet*.
CSG-DisableNetworkConnection	Signifies that device *Host* will not connect to subnet *LogicalSubnet* even though such a connection is implied by the system model. This strategy does not represent a contingency plan, but a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction. The most common situation where a connection is possible but is not used is where a mobile device connects to a cellular network which could be done in any location, but the user will avoid it in some locations.
CSG-DisablePortForwarding-Runtime	If device *Gateway* blocks unsolicited connections into private subnet *ToSubnet*, port forwarding is used to allow access to services by legitimate clients. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction.
CSG-FilterDosAtInterface	Filter DDoS messages to a target in the core network. This normally has to be arranged through the Internet connection service provider, so it is modelled by assigning the corresponding control to the final interface to the Internet.

AddressReservation	Applies to the interface between a device and a subnet, and means the device has a reserved network address (fixed or in a known, restricted range).
BandwidthManagement	A policy is enforced that restricts traffic between source and destination IP addresses. Note that this may be implemented at interfaces other than the one having the destination address.
DDoSFiltering	Measures can be enabled to filter DDoS attacks against the IP address for the interface. Usually this is done in the core network, by an Internet service provider, on behalf of the customer to whom the IP address is assigned.
DisableInterface	Means a host does not connect to a network, unless compromised. This is not the same as FWBlock, which represents a policy to drop messages on a live connection. It means the connection is not made in the first place. Typically used where a host connects to a radio network that is implemented in several locations, but should not be used in some of those locations.
DisableServiceAccess	Signifies that firewall policy exceptions allowing access to services have been removed. This prevents client-service connections if and only if the default policy is to block other connections.
FWBlock	Means the default policy is to drop messages directed to a network address (interface) or via a network router (logical segment).

Role_FromHost	A host that is (or hosts) the source of a message or data flow.
Role_FromSubnet	A subnet at the start of a network path or communication channel.
Role_FwdSegment	A logical segment representing the forward path for connections via a gateway.
Role_InboundIF	An interface via which communication enters a host from a subnet.
Role_Interface	An interface between a host and a logical subnet.
Role_LogicalPath	A network path which may or may not be physical.
Role_LogicalRoute	A logical segment representing a route via a gateway.
Role_LogicalSegment	A route through a gateway between subnets.
Role_NetworkPath	A path through the network, usually between a subnet accessible to attackers and a subnet to which a target host is connected.
Role_NewPath	A constructed network path.
Role_OldPath	A pre-existing network path from which other paths will be contructed.
Role_OutboundIF	An interface via which communication enters a subnet from a host.
Role_PhysicalPath	A physical network path.
Role_RetSegment	A logical segment representing the return path for connections via a gateway.
Role_SubPath	Role assigned to a subpath of some other network path.
Role_ToHost	A host that is (or hosts) the destination of a message or data flow.
Role_ToSubnet	A subnet at the end of a network path or communication channel.

ClosedSegment	A route between subnets via a gateway on which messages cannot be routed by default. Subclasses are used to represent cases where messages can be routed, so a route represented by the base class only is one where messages cannot be sent unless they are replies on a previously established connection.
CommsAsset	Base class for all assets representing network communications.
DeNATSegment	A route through a NAT device (or equivalent) from a public subnet to a private one. In an IPv4 network, destination addresses for messages along this route must be translated from public to private addresses. This would normally only happen if the message is a response in a previously established connection from private to public subnets, unless port forwarding is implemented to allow access to specific services.
Interface	The interface between a Host and a Logical Subnet. Represents a possible point of control and a target for attack. If the Logical Subnet is an IP network, the Interface also represents the existence of an IP address.
LogicalPath	Base class for network paths.
LogicalRoute	A route through a Host between two connected Logical Subnets along which it is always possible to route messages.
LogicalSegment	A base class representing a route through a Host between any two distinct Logical Subnets of any kind.
NATSegment	Route through a Host between two distinct Logical Subnets in which the source of the message (e.g. its IP address) is rewritten in transit through the gateway Host. If both subnets are IP networks, this corresponds to SNAT on outbound messages.
NetworkPath	Represents a path in the network between two LogicalSubnets.
OpenSegment	A route through a Host between two connected Logical Subnets along which it is possible to route messages where the message source need not be obfuscated by any form of network address translation, although the destination address may in some cases be changed from that of the gateway Host.
PhysicalPath	Represents a path in the network between two LogicalSubnets in which all of the subnets involved are physical.

BandwidthManaged	Signifies that bandwidth used by message flows through an interface can be restricted based on their source and/or destination addresses.
ChannelConfidentiality	Applies to a network or a communication channel between processes, signifying that messages cannot be intercepted and read in that network or channel.
ConnectionsBlocked	Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets, signifying that by default, messages will be dropped.
NetworkAuthenticity	The connection from a supplicant device is not an imposter subnet.