Archivio Istituzionale della RicercaNetwork reachability analysis evaluates the actual connectivity of an IT infrastructure. It can be performed by active network probing or examining a formal model of a target IT infrastructure. The latter approach is preferrable as it does not interfere with the normal network behaviour and can be easily used during development and change management phases. In this paper we propose a novel modelling approach, based on a geometric representation of device configurations (i.e. the policies) which permits the computation of the reachability using the concept of equivalent firewall. An equivalent firewall is a fictitious device, ideally connected directly to the communication endpoints, that summarizes the network behaviour between them. Our model supports routing, filtering and address translation devices in a computationally effective way. In fact, the experimental results show that the computation of equivalent firewalls is performed in a negligible time and that afterwards the reachability queries are answered in few seconds.
Improved reachability analysis for security management / Basile, Cataldo; Canavese, Daniele; Lioy, Antonio; Pitscheider, Christian. - STAMPA. - (2013), pp. 534-541. (Intervento presentato al convegno PDP-2013: 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing tenutosi a Belfast (UK) nel February 27 - March 1, 2013) [10.1109/PDP.2013.86].
Improved reachability analysis for security management
BASILE, CATALDO;CANAVESE, DANIELE;LIOY, ANTONIO;PITSCHEIDER, CHRISTIAN
2013
Abstract
Network reachability analysis evaluates the actual connectivity of an IT infrastructure. It can be performed by active network probing or examining a formal model of a target IT infrastructure. The latter approach is preferrable as it does not interfere with the normal network behaviour and can be easily used during development and change management phases. In this paper we propose a novel modelling approach, based on a geometric representation of device configurations (i.e. the policies) which permits the computation of the reachability using the concept of equivalent firewall. An equivalent firewall is a fictitious device, ideally connected directly to the communication endpoints, that summarizes the network behaviour between them. Our model supports routing, filtering and address translation devices in a computationally effective way. In fact, the experimental results show that the computation of equivalent firewalls is performed in a negligible time and that afterwards the reachability queries are answered in few seconds.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2504319
Attenzione
Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo