An integrated systematic approach to designing enterprise access control
Loading...
Authors
Sun, Xin
Xie, Geoffrey G.
Subjects
Network management
network complexity
topdown network design
access control
VLAN
IP addressing
packet filters
network complexity
topdown network design
access control
VLAN
IP addressing
packet filters
Advisors
Date of Issue
2016-03
Date
11 March 2016
Publisher
IEEE
Language
Abstract
Today, the network design process remains ad hoc
and largely complexity agnostic, often resulting in suboptimal
networks characterized by excessive amounts of dependence
and commands in device configurations. The unnecessary high
configuration complexity can lead to a huge increase in both
the amount of manual intervention required for managing the
network and the likelihood of configuration errors, and thus
must be avoided. In this paper, we present an integrated
top–down design approach and show how it can minimize the
unnecessary configuration complexity in realizing reachabilitybased
access control, a key network design objective that involves
designing three distinct network elements: virtual local-area
network (VLAN), IP address, and packet filter. Capitalizing on
newly developed abstractions, our approach integrates the design
of these three elements into a unified framework by systematically
modeling how the design of one element may impact the complexity
of other elements. Our approach goes substantially beyond the
current divide-and-conquer approach that designs each element
in complete isolation, and enables minimizing the combined
complexity of all elements. Specifically, two new optimization
problems are formulated, and novel algorithms and heuristics are
developed to solve the formulated problems. Evaluation on a large
campus network shows that our approach can effectively reduce
the packet filter complexity and VLAN trunking complexity by
more than 85% and 70%, respectively, when compared with the
ad hoc approach currently used by the operators.
Type
Article
Description
Published in: IEEE/ACM Transactions on Networking (Volume: 24 , Issue: 6 , December 2016)
The article of record as published may be found at http://dx.doi.org/10.1109/TNET.2016.2535468
The article of record as published may be found at http://dx.doi.org/10.1109/TNET.2016.2535468
Series/Report No
Department
Computer Science (CS)
Organization
Naval Postgraduate School (U.S.)
Identifiers
NPS Report Number
Sponsors
Funding
Format
15 p.
Citation
Sun, Xin, and Geoffrey G. Xie. "An integrated systematic approach to designing enterprise access control." IEEE/ACM Transactions on Networking 24.6 (2016): 3508-3522.
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.