Discovery, Generation and Analysis of Network Policy Configurations

From Anita Borg Institute Wiki

Jump to: navigation, search

Presenter: Taghrid Samak (DePaul University)

My thesis work has three main parts: - policy discovery investigates the possibility of probing a firewall by an adversary to infer the policy in place. - policy generation is aimed to benefit research community in the area of policy testing and packet classification. - the last part models quality of service policy using fuzzy logic approach for conflict analysis and policy verification.

Liz Kiewiet, GHC 2009 Live Notetaker. I also blog on the official Grace Hopper blog at http://ghcbloggers.blogspot.com

Thesis is concerned with QoS and Secuity policies and the problems with them.

Configurations of network policy:

  • ACLs to protect LAN from internet
  • Bandwidth/delay restrictions on WAN facing network


Main Problems:

  • Policy discovery (feasibility of discovering firewall policies with acceptable accuracy using minimal intrusiveness [packet probes])
  • Policy generation (generating FW policies w/ different features for research purposes)
  • QoS policy model (policy model for conflict classification and policy verification)

Synthetic Policy Generation (capture domain information without affecting privacy)

  • Policy learning using probability context-free grammar. Cover syntaxes for different devices.
  • Traffic-aware policy generation
    • generalizing traffic to rule sets via hierarchical clustering
    • capturing domain information. Useful for testing

Evaluation

  • policy feature evaluation
  • comparing traffic properties versus policy feature.


Qos Policy Example

  • Router itself might not be able to handle QoS requirements
  • Formal Policy Model
    • SLA is the ideal policy that should be enforced.
    • Realization of the original SLA might differ at each node from source to destination
    • Using qualitative fuzzy logic.
  • Results= conflicts modeling and analysis on parameter level


Questions regarding algorithm; modeling program used.. Do we need to change firewall policies, or is it discovered because of poor policy creation?

This is regarding difference between learning policy and created policy


Liz Kiewiet, GHC 2009 Live Notetaker. I also blog on the official Grace Hopper blog at http://ghcbloggers.blogspot.com

Retrieved from "http://community.anitaborg.org/wiki/index.php/Discovery,_Generation_and_Analysis_of_Network_Policy_Configurations"
Personal tools