Network management systems implement policies by configuring managed devices in the network, such as routers, switches, gateways, and firewalls, with instructions appropriate to carry out a desired policy. One general application for a network management system is implementation of a security policy on firewalls and other security devices. A policy server may be used in conjunction with other components to configure security devices on the network with security policies. CISCO SECURE POLICY MANAGER (CSPM), manufactured by CISCO SYSTEMS, INC., San Jose, Calif., is a commercially available software package for implementing security policies using a policy server.
An access control list (ACL) is a data structure that contains instructions for configuring firewalls and other security devices on a network. The instructions are usually provided by an administrator or operator of the network. Each firewall that is managed on a network may be configured by one or more ACLs. Each ACL typically contains multiple entries. Each entry identifies specific attributes associated with communication packets and instructions on how communication packets with such attributes are to be treated by the firewalls. The instruction provided with each entry specifies, for example, whether certain communication packets are to be permitted or denied based on source and/or destination information, protocol information, etc.
Usually, each firewall has been configured by at least one active ACL that was created and stored on a server of the network management system. ACLs are subject to revisions and updates, so the policy server may store several prior versions of an ACL. The ACL may be updated through the addition of entries, which provide new or superseding instructions for specified communication packets that may pass through the network. ACLs may contain hundreds or thousands of entries, each of which specify a particular instruction for the specified set of communication packets.
In a typical configuration, each firewall is configured by at least one ACL that is maintained on a server of the network management system. Numerous ACLs may exist for the same network.
Two ACLs are functionally equivalent when each ACL implements the same policy action on the same set of communication packets. However, two functionally equivalent ACLs may be very different in length or size, form and structure. One ACL may contain several more entries than another, but the ultimate effect of each ACL on communication packets passing through the network may be the same. The two ACLs may be equivalent because the ACL entries may supersede one another, include overlapping ranges of addresses, or combine with one another to have the same effect as one entry for a particular set of communication packets. For example, one entry from a first ACL may be equivalent to multiple entries from a second ACL, or one entry on the ACL may supersede other entries in the same ACL. As another example, a new ACL entry may supersede multiple prior entries, so that one ACL has redundant entries, while another does not.
There are several scenarios where it is desirable to determine whether two ACLs that appear to be different are equivalent in effect. For example, in one scenario, a network management system implements a security audit utility that periodically checks for validity of existing firewall configurations against an approved configuration. The approved configuration may be implemented using an approved ACL. Each firewall configuration may be checked against the approved configuration by comparing the ACL of that firewall to the approved ACL to determine whether the two ACLs are equivalent.
In another scenario, a network may be managed by a security management tool, such as CSPM, that enforces security on a number of firewall and virtual private networks. Typically, an administrator writes new policies for the network, and the tool may compute new configurations based on the new policies. The tool is required to validate any new configuration against the existing configurations of the devices. One step for validating security configurations includes comparing the ACL of an existing configuration with the ACL of a new configuration. The comparison enables the administrator of the network to detect when new configurations will change policies on the security devices. In addition, if the administrator can detect that the new configurations are equivalent to the existing configurations, the administrator will be able to avoid reconfiguring the device, thereby reducing device downtime.
In a third scenario, an administrator may wish to reduce the size, or otherwise optimize, the ACLs on the network, to improve processing efficiency and speed. For example, if there are two functionally equivalent ACLs but a first one of the ACLs has a substantially larger number of entries, that ACL will require more time to process than the shorter of the two. The administrator may identify a more optimal ACL for a particular firewall. The administrator may then compare the existing ACL to the more optimal ACL in order to validate that the optimal ACL is equivalent to the existing ACL. Such optimization may also improve readability and maintainability of the ACLs.
The process of comparing ACLs can be cumbersome and labor-intensive. As mentioned, entries in an ACL that appear to be different may be functionally equivalent with respect to how they affect communication packets passing through the network. Furthermore, entries may be ordered differently, making determination of equivalence between two ACLs even more difficult.
Current techniques for comparing ACLs generally require extensive manual input and calculation. The task of comparing two or more ACLs is typically performed by an administrator or other skilled technician. Comparing two or more ACLS can become a very tedious, and even impossible task, as the size of the ACLs increase.
Based on the foregoing, there is a clear need for a technique to automate a determination of whether two or more ACLs are equivalent. Furthermore, there is a need to automate the determination of whether two or more ACLs are equivalent, when the ACLs carry a large number of entries.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.