Publication:
Static reachability analysis and validation regarding security policies implemented via packet filters

Loading...
Thumbnail Image
Authors
Kantz, Stephen M.
Subjects
Advisors
Xie, Geoffrey
Date of Issue
2007-03
Date
Publisher
Monterey, California. Naval Postgraduate School
Language
Abstract
The ability to statically determine what kinds of packets can be exchanged between two hosts on a network is desirable to those who design and operate networks, but this is a difficult and complex problem. Factors affecting reachability analysis are packet filters, routing policies and packet transformations. The number of variables within and among networks is intractable for manual computation. A proposed solution to this mess is a tractable framework for which to map networks into, thus creating a single unified model for analysis. It depends heavily on the use of transforming the problem into a classical graph problem that can be solved with polynomial time algorithms such as transitive closure. This research develops an automated validation process to test the reachability upper bound calculated from a recent implementation of the framework which focuses specifically on the packet filter aspect, namely access control lists. Real-world network configuration files and network packet flow data from a Tier-1 Internet Service Provider is supplied as the data set. A significant contribution of this thesis is the application of real-world data to the proposed method for static reachability analysis as it pertains to the static testing of security policies applied via packet filters.
Type
Thesis
Description
Series/Report No
Department
Organization
Naval Postgraduate School (U.S.)
Identifiers
NPS Report Number
Sponsors
Funder
Format
xiv, 53 p. :
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Collections