By Topic

Network and Service Management, IEEE Transactions on

Issue 1 • Date April 2004

Filter Results

Displaying Results 1 - 5 of 5
  • Modeling and Management of Firewall Policies

    Page(s): 2 - 10
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (127 KB) |  | HTML iconHTML  

    Firewalls are core elements in network security. However, managing firewall rules, especially for enterprise networks, has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition, inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and other rules in order to determine the proper order of this rule and commit the updates. In this paper we present a set of techniques and algorithms that provide automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls, and anomaly-free policy editing for rule insertion, removal, and modification. This is implemented in a user-friendly tool called ¿Firewall Policy Advisor.¿ The Firewall Policy Advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule misconfiguration. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Failure-Oriented Path Restoration Algorithm for Survivable Networks

    Page(s): 11 - 20
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (125 KB) |  | HTML iconHTML  

    In this article, a new polynomial-time approximation algorithm called Service Path Local Optimization (SPLO) is proposed for the online restoration problem. SPLO is shown to perform competitively with existing offline heuristics algorithm in terms of spare capacity. SPLO is designed for online computation where only one request is computed at any one time, and the decision making does not depend on future requests. The polynomial-time and online nature of the algorithm makes SPLO suitable for use in real-time on-demand path request applications. SPLO can be combined with a non-polynomial post-processing component that re-optimizes the backup paths. Significant reductions in spare capacity requirements are achievable at the expense of higher computation time. Further, the potential for SPLO as an algorithm in traffic engineering applications is investigated by looking at the performance impact when source-destination-based traffic aggregation is applied. We also introduce a new concept called path intermix where the service path¿s allocated bandwidth can be used by the backup paths protecting that particular service path. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Scalability of Peer Configuration Management in Logically Ad Hoc Networks

    Page(s): 21 - 29
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (121 KB) |  | HTML iconHTML  

    Current interest in ad hoc and peer-to-peer networking technologies prompts a re-examination of models for configuration management within these frameworks. In the future, network management methods may have to scale to millions of nodes within a single organization, with complex social constraints. In this paper, we discuss whether it is possible to manage the configuration of large numbers of network devices using well known and not so well known configuration models, and we discuss how the special characteristics of ad hoc and peer-to-peer networks are reflected in this problem. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • IPv6-in-IPv4 Tunnel Discovery: Methods and Experimental Results

    Page(s): 30 - 38
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (132 KB) |  | HTML iconHTML  

    Tunnels are widely used to improve security and to expand networks without having to deploy native infrastructure. They play an important role in the migration to IPv6, which relies on IPv6-in-IPv4 tunnels where native connectivity is not available. However, tunnels offer lower performance and are less than native links. In this paper we introduce a number of techniques to detect, and collect information about, IPv6-in-IPv4 tunnels, and show how a known tunnel can be used as a ¿vantage point¿ to launch third-party tunnel-discovery explorations, scaling up the discovery process. We describe our Tunneltrace tool, which implements the proposed techniques, and validate them by means of a wide experimentation on the 6bone tunneled network, on native networks in Italy, the Netherlands, and Japan, and through the test boxes deployed worldwide by the RIPE NCC as part of the Test Traffic Measurements Service. We assess to what extent 6bone registry information is coherent with the actual network topology, and we provide the first experimental results on the current distribution of IPv6-in-IPv4 tunnels in the Internet, showing that even ¿native¿ networks reach more than 60 percent of all IPv6 prefixes through tunnels. Furthermore, we provide historical data on the migration to native IPv6, showing that the impact of tunnels in the IPv6 Internet did not significantly decrease over a six-month period. Finally, we briefly touch on the security issues posed by IPv6-in-IPv4 tunnels, discussing possible threats and countermeasures. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Generic On-Line Discovery of Quantitative Models

    Page(s): 39 - 48
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (134 KB) |  | HTML iconHTML  

    Quantitative models are needed for a variety of management tasks, including identification of critical variables to use for health monitoring, anticipating service-level violations by using predictive models, and ongoing optimization of configurations. Unfortunately, constructing quantitative models requires specialized skills that are in short supply. Even worse, rapid changes in provider configurations and the evolution of business demands mean that quantitative models must be updated on an ongoing basis. This paper describes an architecture and algorithms for online discovery of quantitative models without prior knowledge of the managed elements. The architecture makes use of an element schema that describes managed elements using the Common Information Model (CIM). Algorithms are presented for selecting a subset of the element metrics to use as explanatory variables in a quantitative model and for constructing the quantitative model itself. We further describe a prototype system based onthis architecture that incorporates these algorithms. We apply the prototype to online estimation of response times for DB2 Universal Database under a TPC-W workload. Of the approximately 500 metrics available from the DB2 performance monitor, our system chooses three to construct a model that explains 72 percent of the variability of response time. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief

Rolf Stadler
Laboratory for Communication Networks
KTH Royal Institute of Technology
Stockholm
Sweden
stadler@kth.se