Improved Reachability Analysis for Security Management

2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing Pub Date : 2013-02-27 DOI:10.1109/PDP.2013.86

C. Basile, D. Canavese, A. Lioy, Christian Pitscheider

{"title":"Improved Reachability Analysis for Security Management","authors":"C. Basile, D. Canavese, A. Lioy, Christian Pitscheider","doi":"10.1109/PDP.2013.86","DOIUrl":null,"url":null,"abstract":"Network reachability analysis evaluates the actual connectivity of an IT infrastructure. It can be performed by active network probing or examining a formal model of a target IT infrastructure. The latter approach is preferable as it does not interfere with the normal network behaviour and can be easily used during development and change management phases. In this paper we propose a novel modelling approach based on a geometric representation of device configurations (i.e. the policies) which allows the computation of the reachability analysis using the concept of equivalent firewall. An equivalent firewall is a fictitious device, ideally connected directly to the communication endpoints, that summarizes the network behaviour between them. Our model supports routing, filtering and address translation devices in a computationally effective way. In fact, the experimental results show that the computation of equivalent firewalls is performed in a negligible time and that then the reachability queries are answered in few seconds.","PeriodicalId":202977,"journal":{"name":"2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PDP.2013.86","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Network reachability analysis evaluates the actual connectivity of an IT infrastructure. It can be performed by active network probing or examining a formal model of a target IT infrastructure. The latter approach is preferable as it does not interfere with the normal network behaviour and can be easily used during development and change management phases. In this paper we propose a novel modelling approach based on a geometric representation of device configurations (i.e. the policies) which allows the computation of the reachability analysis using the concept of equivalent firewall. An equivalent firewall is a fictitious device, ideally connected directly to the communication endpoints, that summarizes the network behaviour between them. Our model supports routing, filtering and address translation devices in a computationally effective way. In fact, the experimental results show that the computation of equivalent firewalls is performed in a negligible time and that then the reachability queries are answered in few seconds.

查看原文本刊更多论文

改进的安全管理可达性分析

网络可达性分析评估IT基础设施的实际连通性。它可以通过主动网络探测或检查目标It基础设施的正式模型来执行。后一种方法更可取，因为它不会干扰正常的网络行为，并且可以在开发和变更管理阶段轻松使用。在本文中，我们提出了一种基于设备配置(即策略)的几何表示的新型建模方法，该方法允许使用等效防火墙的概念计算可达性分析。等效的防火墙是一种虚构的设备，理想情况下直接连接到通信端点，它总结了它们之间的网络行为。我们的模型以一种计算有效的方式支持路由、过滤和地址转换设备。实际上，实验结果表明，等效防火墙的计算时间可以忽略不计，然后在几秒钟内回答可达性查询。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing

自引率

0.00%

发文量