Browse Prior Art Database

Process for inferring network traffic based on the rules contained in Normalized Device Configuration files

IP.com Disclosure Number: IPCOM000232455D
Publication Date: 2013-Nov-11
Document File: 4 page(s) / 56K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a process that leverages information present in a Normalized Device Configuration document (i.e., rules, routing, and other information required to create a network topology) to auto-generate network flow data that matches the routing rules present in a network topology, as well as traffic that matches the paths that the firewalls allow. The process allows successful testing of the network topology model.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 4

Process for inferring network traffic based on the rules contained in Normalized Device Configuration files

Currently the network flow data (i.e., Source Internet Protocol (IP) to Destination IP, port, protocol) that is used to test a system containing a network topology model is either uncontrolled (i.e., random network traffic), or hand-crafted and send via internally developed tools. When a networking device is backed up, a Normalized Device Configuration file in Extensible Markup Language (XML) is created that contains routing, firewall rules, and other device information.

Constructing these network flow specific datasets to match the Normalized Device Configurations (i.e. the Normalized configurations are gathered from various networking devices, ingested by a system, and used to generate a Topology graph of that specific network) can be a long, error prone process. Without the use of flow data that matches the device configurations , these systems cannot be sufficiently tested.

The Normalized Device Configuration document that is created using the product contains information about all the rules , routing, and other information required to create a network topology.

The novel process is to leverage this information to auto-generate network flow data that matches the routing rules present in the topology, as well as traffic that matches the paths that the firewalls allow.

At a high level, the Normalized Device Configuration document that is created using the system containing a network topological model contains data about all the rules, routing, and other information required to create a network topology. This topology is a representation of the user's network that can be queried, asked questions through a policy monitor tool, and (if configured properly) ingest event/flow data from Security Intelligence and Event Management (SIEM) software in order to create "connections" (among other things) that have occurred over time. These connections show an aggregated view of the flow and event data (allowed and denied traffic) that has actually occurred over the network as recorded by the SIEM.

Using the information contained within the Normalized Device Configurations, as well as the information stored by the SIEM software that contains a network topological model, the process auto-generates network flow files that match the traffic that is allowable over the user's known network. One application is to allow the test, support, and development...