Technical Reports
HPL-2008-28R1
Click here for full text:
End-to-End Network Access Analysis
Bandhakavi, Sruthi; Bhatt, Sandeep; Okita, Cat; Rao, Prasad
HP Laboratories
HPL-2008-28R1
Keyword(s): No keywords available.
Abstract: Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components along a path. Furthermore, configurations evolve over time, and a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is prohibitively time consuming and impractical, there are no good solutions to analyze end-to-end flows from network configurations. This paper presents a technique to analyze all the end-to-end accesses from the configuration files of network routers and firewalls. The contributions of this paper are to engineer solutions for real network instances that are based on (i) generic templates for network components and (ii) a more general treatment of firewalls, including ways to deal with certain state-dependent filter rules, and (iii) efficient generation of firewall access control rules to meet desired end-to- end flow requirements. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected access behavior.
22 Pages
External Posting Date: November 21, 2008 [Fulltext]. Approved for External Publication
Internal Posting Date: November 21, 2008 [Fulltext]