Research Article
Build and Test Your Own Network Configuration
@INPROCEEDINGS{10.1007/978-3-642-31909-9_33, author={Saeed Al-Haj and Padmalochan Bera and Ehab Al-Shaer}, title={Build and Test Your Own Network Configuration}, proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2012}, month={10}, keywords={Imperative analysis BDDs Formal methods Network configuration}, doi={10.1007/978-3-642-31909-9_33} }- Saeed Al-Haj
Padmalochan Bera
Ehab Al-Shaer
Year: 2012
Build and Test Your Own Network Configuration
SECURECOMM
Springer
DOI: 10.1007/978-3-642-31909-9_33
Abstract
Access control policies play a critical role in the security of enterprise networks deployed with variety of policy-based devices (e.g., routers, firewalls, and IPSec). Usually, the security policies are configured in the network devices in a distributed fashion through sets of access control lists (ACL). However, the increasing complexity of access control configurations due to larger networks and longer policies makes configuration errors inevitable. Incorrect policy configuration makes the network vulnerable to different attacks and security breaches. In this paper, we present an imperative framework, namely, , that provides an open programming platform for building the network security configuration globally and analyzing it systematically. The engine uses Binary Decision Diagram (BDD) to build a Boolean model that represents the global system behaviors including all possible interaction between various components in extensible and scalable manner. Our tool also provides a C/C++ API as a software wrapper on top of the BDD engine to allow users in defining topology, configurations, and reachability, and then analyzing in various abstraction levels, without requiring knowledge of BDD representation or operations.