Mining policies from enterprise network configuration

Few studies so far have examined the nature of reachability policies in enterprise networks. A better understanding of reachability policies could both inform future approaches to network design as well as current network configuration mechanisms. In this paper, we introduce the notion of a policy unit, which is an abstract representation of how the policies implemented in a network apply to different network hosts. We develop an approach for reverse-engineering a network's policy units from its router configuration. We apply this approach to the configurations of five productions networks, including three university and two private enterprises. Through our empirical study, we validate that policy units capture useful characteristics of a network's policy. We also obtain insights into the nature of the policies implemented in modern enterprises. For example, we find most hosts in these networks are subject to nearly identical reachability policies at Layer 3.

[1]  Albert G. Greenberg,et al.  Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[2]  Nan Zhang,et al.  Characterizing VLAN usage in an operational network , 2007, INM '07.

[3]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[4]  Albert G. Greenberg,et al.  Routing design in operational networks: a look from the inside , 2004, SIGCOMM '04.

[5]  Hong Yan,et al.  Tesseract: A 4D Network Control Plane , 2007, NSDI.

[6]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[8]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[9]  Paul Francis,et al.  CONMan: a step towards network manageability , 2007, SIGCOMM.

[10]  David A. Maltz,et al.  Unraveling the Complexity of Network Management , 2009, NSDI.

[11]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[12]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[13]  Saikat Guha,et al.  How healthy are today's enterprise networks? , 2008, IMC '08.