Quantifying and verifying reachability for access controlled networks

Authors:
Alex X. Liu;Amir R. Khakpour
Affiliations:
Department of Computer Science and Engineering, Michigan State University, East Lansing, MI;Department of Computer Science and Engineering, Michigan State University, East Lansing, MI
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2013

Citing 11
Cited 0

End-to-end routing behavior in the Internet

IEEE/ACM Transactions on Networking (TON)
Understanding BGP misconfiguration

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Fang: A Firewall Analysis Engine

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A Quantitative Study of Firewall Configuration Errors

Computer
Practical Attack Graph Generation for Network Defense

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Structured firewall design

Computer Networks: The International Journal of Computer and Telecommunications Networking
Why do internet services fail, and what can be done about it?

USITS'03 Proceedings of the 4th conference on USENIX Symposium on Internet Technologies and Systems - Volume 4
Diverse Firewall Design

IEEE Transactions on Parallel and Distributed Systems
Firewall Policy Queries

IEEE Transactions on Parallel and Distributed Systems
Modeling and understanding end-to-end class of service policies in operational networks

Proceedings of the ACM SIGCOMM 2009 conference on Data communication
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs

IEEE/ACM Transactions on Networking (TON)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Quantifying and querying network reachability is important for security monitoring and auditing as well as many aspects of network management such as troubleshooting, maintenance, and design. Although attempts to model network reachability have been made, feasible solutions to computing network reachability have remained unknown. In this paper, we propose a suite of algorithms for quantifying reachability based on network configurations [mainly Access Control Lists (ACLs)] as well as solutions for querying network reachability. We present a network reachability model that considers connectionless and connection-oriented transport protocols, stateless and stateful routers/ firewalls, static and dynamic NAT, PAT, IP tunneling, etc. We implemented the algorithms in our network reachability tool called Quarnet and conducted experiments on a university network. Experimental results show that the offline computation of reachability matrices takes a few hours, and the online processing of a reachability query takes 0.075 s on average.