Analyzing end-to-end network reachability

Sruthi Bandhakavi, Sandeep Bhatt, Cat Okita, Prasad Rao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.

Original languageEnglish (US)
Title of host publication2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009
Pages585-590
Number of pages6
DOIs
StatePublished - Nov 17 2009
Externally publishedYes
Event2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009 - New York, NY, United States
Duration: Jun 1 2009Jun 5 2009

Publication series

Name2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009

Other

Other2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009
CountryUnited States
CityNew York, NY
Period6/1/096/5/09

Fingerprint

Network security
Routers
Switches
Engineers
Testing

Cite this

Bandhakavi, S., Bhatt, S., Okita, C., & Rao, P. (2009). Analyzing end-to-end network reachability. In 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009 (pp. 585-590). [5188865] (2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009). https://doi.org/10.1109/INM.2009.5188865
Bandhakavi, Sruthi ; Bhatt, Sandeep ; Okita, Cat ; Rao, Prasad. / Analyzing end-to-end network reachability. 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009. 2009. pp. 585-590 (2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009).
@inproceedings{a5ec7c803ff74071a642bd8b13365f61,
title = "Analyzing end-to-end network reachability",
abstract = "Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.",
author = "Sruthi Bandhakavi and Sandeep Bhatt and Cat Okita and Prasad Rao",
year = "2009",
month = "11",
day = "17",
doi = "https://doi.org/10.1109/INM.2009.5188865",
language = "English (US)",
isbn = "9781424434879",
series = "2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009",
pages = "585--590",
booktitle = "2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009",

}

Bandhakavi, S, Bhatt, S, Okita, C & Rao, P 2009, Analyzing end-to-end network reachability. in 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009., 5188865, 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009, pp. 585-590, 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009, New York, NY, United States, 6/1/09. https://doi.org/10.1109/INM.2009.5188865

Analyzing end-to-end network reachability. / Bandhakavi, Sruthi; Bhatt, Sandeep; Okita, Cat; Rao, Prasad.

2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009. 2009. p. 585-590 5188865 (2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Analyzing end-to-end network reachability

AU - Bandhakavi, Sruthi

AU - Bhatt, Sandeep

AU - Okita, Cat

AU - Rao, Prasad

PY - 2009/11/17

Y1 - 2009/11/17

N2 - Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.

AB - Network security administrators cannot always accurately tell which end-to-end accesses are permitted within their network, and which ones are not. The problem is that every access is determined by the configurations of multiple, separately administered, components. As configurations evolve, a small change in one configuration file can have widespread impact on the end-to-end accesses. Short of exhaustive testing, which is impractical, there are no good solutions to analyze endto-end flows from network configurations. This paper presents a general technique to analyze all the end-to-end accesses from the configuration files of network routers, switches and firewalls. We efficiently analyze certain state-dependent filter rules. Our goal is to help network security engineers and operators quickly determine configuration errors that may cause unexpected behavior such as unwanted accesses or unreachable services. Our technique can be also be used as part of the change management process, to help prevent network misconfiguration.

UR - http://www.scopus.com/inward/record.url?scp=70449374903&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70449374903&partnerID=8YFLogxK

U2 - https://doi.org/10.1109/INM.2009.5188865

DO - https://doi.org/10.1109/INM.2009.5188865

M3 - Conference contribution

SN - 9781424434879

T3 - 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009

SP - 585

EP - 590

BT - 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009

ER -

Bandhakavi S, Bhatt S, Okita C, Rao P. Analyzing end-to-end network reachability. In 2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009. 2009. p. 585-590. 5188865. (2009 IFIP/IEEE International Symposium on Integrated Network Management, IM 2009). https://doi.org/10.1109/INM.2009.5188865