Towards automated identification of security zone classification in enterprise networks

Authors:
HariGovind V. Ramasamy;Cheng-Lin Tsao;Birgit Pfitzmann;Nikolai Joukov;James W. Murray
Affiliations:
Services Research, IBM Research, Hawthorne, NY;Georgia Tech, Atlanta, GA;Services Research, IBM Research, Hawthorne, NY;Services Research, IBM Research, Hawthorne, NY;IBM, Raleigh, NC
Venue:
Hot-ICE'11 Proceedings of the 11th USENIX conference on Hot topics in management of internet, cloud, and enterprise networks and services
Year:
2011

Citing 2
Cited 0

Modeling and Management of Firewall Policies

IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies

IEEE Communications Magazine

Quantified Score

Hi-index	0.00

Visualization

Abstract

Knowledge of the security zone classification of devices in an enterprise information technology (IT) infrastructure is essential in many enterprise IT transformation and optimization activities. We describe a systematic and semi-automated approach for discovering the security zone classification of devices in an enterprise network. For reduced interference with normal operation of the IT infrastructure, our approach is structured in stages, each consisting of two phases: one phase involves collecting information about actually allowed network flows, followed by an analysis phase. As part of our approach, we describe an elimination-based inference algorithm. We also present an alternative to the algorithm based on the Constraint Satisfaction Problem, and explore trade-offs between the two. Using a case study, we demonstrate the validity of our approach.