TY - GEN
T1 - Analyzing end-to-end network reachability
AU - Bandhakavi, Sruthi
AU - Bhatt, Sandeep
AU - Okita, Cat
AU - Rao, Prasad
PY - 2009
Y1 - 2009
N2 - Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.
AB - Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.
UR - http://www.scopus.com/inward/record.url?scp=70449374903&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70449374903&partnerID=8YFLogxK
U2 - 10.1109/INM.2009.5188865
DO - 10.1109/INM.2009.5188865
M3 - Conference contribution
AN - SCOPUS:70449374903
SN - 9781424434879
T3 - 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009
SP - 585
EP - 590
BT - 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009
T2 - 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009
Y2 - 1 June 2009 through 5 June 2009
ER -