Static reachability analysis and validation regarding security policies implemented via packet filters

• Main Author: Kantz, Stephen M.
• Other Authors: Xie, Geoffrey
• Published: Monterey, California. Naval Postgraduate School 2012
• Online Access: http://hdl.handle.net/10945/3586

Approved for public release, distribution unlimited === The ability to statically determine what kinds of packets can be exchanged between two hosts on a network is desirable to those who design and operate networks, but this is a difficult and complex problem. Factors affecting reachability analysis are packet filters, routing policies and packet transformations. The number of variables within and among networks is intractable for manual computation. A proposed solution to this mess is a tractable framework for which to map networks into, thus creating a single unified model for analysis. It depends heavily on the use of transforming the problem into a classical graph problem that can be solved with polynomial time algorithms such as transitive closure. This research develops an automated validation process to test the reachability upper bound calculated from a recent implementation of the framework which focuses specifically on the packet filter aspect, namely access control lists. Real-world network configuration files and network packet flow data from a Tier-1 Internet Service Provider is supplied as the data set. A significant contribution of this thesis is the application of real-world data to the proposed method for static reachability analysis as it pertains to the static testing of security policies applied via packet filters.