Title :
Analyzing end-to-end network reachability
Author :
Bandhakavi, Sruthi ; Bhatt, Sandeep ; Okita, Cat ; Rao, Prasad
Author_Institution :
Hewlett-Packard Labs., Princeton, NJ, USA
Abstract :
Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze end-to-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.
Keywords :
telecommunication network routing; telecommunication security; end-to-end network reachability; firewalls; network routers; network security; switches; Filtering; Filters; Information analysis; Laboratories; Network servers; Packet switching; Permission; Routing; Switches; Testing;
Conference_Titel :
Integrated Network Management, 2009. IM '09. IFIP/IEEE International Symposium on
Conference_Location :
Long Island, NY
Print_ISBN :
978-1-4244-3486-2
Electronic_ISBN :
978-1-4244-3487-9
DOI :
10.1109/INM.2009.5188865
