Static Reachability Analysis and Validation Regarding Security Policies Implemented via Packet Filters

摘要

The ability to statically determine what kinds of packets can be exchanged between two hosts on a network is desirable to those who design and operate networks but this is a difficult and complex problem. Factors affecting reachability analysis are packet filters routing policies and packet transformations. The number of variables within and among networks is intractable for manual computation. A proposed solution to this mess is a tractable framework for which to map networks into thus creating a single unified model for analysis. It depends heavily on the use of transforming the problem into a classical graph problem that can be solved with polynomial time algorithms such as transitive closure. This research develops an automated validation process to test the reachability upper bound calculated from a recent implementation of the framework which focuses specifically on the packet filter aspect namely access control lists. Real-world network configuration files and network packet flow data from a Tier-i Internet Service Provider is supplied as the data set. A significant contribution of this thesis is the application of real-world data to the proposed method for static reachability analysis as it pertains to the static testing of security policies applied via packet filters.