Accession Number:

ADA467157

Title:

Static Reachability Analysis and Validation Regarding Security Policies Implemented via Packet Filters

Descriptive Note:

Master's thesis

Corporate Author:

NAVAL POSTGRADUATE SCHOOL MONTEREY CA

Personal Author(s):

Report Date:

2007-03-01

Pagination or Media Count:

69.0

Abstract:

The ability to statically determine what kinds of packets can be exchanged between two hosts on a network is desirable to those who design and operate networks but this is a difficult and complex problem. Factors affecting reachability analysis are packet filters routing policies and packet transformations. The number of variables within and among networks is intractable for manual computation. A proposed solution to this mess is a tractable framework for which to map networks into thus creating a single unified model for analysis. It depends heavily on the use of transforming the problem into a classical graph problem that can be solved with polynomial time algorithms such as transitive closure. This research develops an automated validation process to test the reachability upper bound calculated from a recent implementation of the framework which focuses specifically on the packet filter aspect namely access control lists. Real-world network configuration files and network packet flow data from a Tier-i Internet Service Provider is supplied as the data set. A significant contribution of this thesis is the application of real-world data to the proposed method for static reachability analysis as it pertains to the static testing of security policies applied via packet filters.

Subject Categories:

  • Government and Political Science
  • Computer Systems
  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE