In policy-based security management, as applied in computer networks, the user inputs a network topology and a list of end-to-end security policies to a policy manager. Each security policy regulates how packets from a source network object to a destination network object are to be treated. In particular, each security policy determines whether packets between the source and destination nodes will be denied or permitted, and if permitted, under what conditions. The topology describes the arrangement of network devices.
Security management software is typically operated on a policy server that enforces a security policy specified by the user. An example of security management software is CISCO SECURE POLICY MANAGER (CSPM). The security management software implements security policies on devices in the network, including security devices and firewalls that may be located on the network.
In the case where static routing is used to connect a source and destination node, enforcing a security policy is simple. Static routing usually results in only one communication path existing between the source node and the destination node. The security policy is implemented on firewalls on that communication path.
More typically, dynamic routing is used to connect the source node to the destination node. In dynamic routing, there may be numerous communication paths between the source node and destination node. In this case, the most conservative implementation of a security policy is to configure all enforcement firewalls using the policy, so that the policy is enforced on every possible routing path from the source node to the destination node.
In the case where dynamic routing is used, it is typically a challenging task to efficiently identify all enforcement firewalls that may potentially need to implement a security policy between a given source node and destination node. One current approach uses a “brute-force” methodology to find all possible paths between the source and destination nodes. Then, every path is examined to identify enforcement firewalls for the source and destination node. The “brute-force” approach is very computationally extensive, and has an exponential complexity when all paths between the source and destination nodes are computed. For example, it can take days for a policy server to determine all possible communication paths between a source node and destination node for a network having thousands of nodes.
Another approach is to use skilled technicians who can locate enforcement firewalls. The skilled technician may manually reduce redundant paths to minimize the number of firewalls in use. Because the approach is manual, it requires overhead and costs associated with employing experienced technicians. Furthermore, this kind of approach is not automated.
Based on the foregoing, there is a clear need for an efficient and automated approach for identifying enforcement firewalls that may potentially need to enforce a security policy in a network topology for a given source and destination node.