Validating network security policies via static analysis of router ACL configuration
Wong, Eric Gregory Wen Wie
MetadataShow full item record
The security of a network depends on how its design fulfills the organization's security policy. One aspect of security is reachability: whether two hosts can communicate. Network designers and operators face a very difficult problem in verifying the reachability of a network, because of the lack of automated tools, and calculations by hand are impractical because of the often sheer size of networks. The reachability of a network is influenced by packet filters, routing protocols, and packet transformations. A general framework for calculating the joint effort of these three factors was published recently. This thesis partially validates that framework through a detailed Java implementation, with the creation of an automated solution which demonstrates that the effect of statically configured packet filters on the reachability upper bounds of a network can be computed efficiently. The automated solution performs its computations purely based on the data obtained from parsing router configuration files. Mapping all packet filter rules into a data structure called PacketSet, consisting of tuples of permitted ranges of packet header fields, is the key to easy manipulation of the data obtained from the router configurations files. This novel approach facilitates the validation of the security policies of very large networks, which was previously not possible, and paves the way for a complete automated solution for static analysis of network reachability.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Showing items related by title, author, creator and subject.
Static reachability analysis and validation regarding security policies implemented via packet filters Kantz, Stephen M. (Monterey, California. Naval Postgraduate School, 2007-03);The ability to statically determine what kinds of packets can be exchanged between two hosts on a network is desirable to those who design and operate networks, but this is a difficult and complex problem. Factors affecting ...
Zhan, J.; Maltz, D.; Zhang, H.; Greenberg, A.; Hjalmtysson, G.; Rexford, J.; Xie, Geoffrey (2005-03);The primary purpose of a network is to provide reachability between applications running on end hosts. In this paper, we describe how to compute the reachability a network provides from a snapshot of the configuration state ...
A CASE FOR SOFTWARE-DEFINED NETWORKING IN THE UNITED STATES MARINE CORPS: AUTOMATING DISTRIBUTED FIREWALLS Logan, Brent E. (Monterey, CA; Naval Postgraduate School, 2019-06);Software Defined Networking (SDN) is a field in computer science that has seen rapid adoption in industry and academia. SDN reduces network administration and cost, empowers fine grain network control, and enables ...