Modeling and Management of Firewall Policies
IEEE Transactions on Network and Service Management
Taxonomy of conflicts in network security policies
IEEE Communications Magazine
Hi-index | 0.00 |
Knowledge of the security zone classification of devices in an enterprise information technology (IT) infrastructure is essential in many enterprise IT transformation and optimization activities. We describe a systematic and semi-automated approach for discovering the security zone classification of devices in an enterprise network. For reduced interference with normal operation of the IT infrastructure, our approach is structured in stages, each consisting of two phases: one phase involves collecting information about actually allowed network flows, followed by an analysis phase. As part of our approach, we describe an elimination-based inference algorithm. We also present an alternative to the algorithm based on the Constraint Satisfaction Problem, and explore trade-offs between the two. Using a case study, we demonstrate the validity of our approach.