About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Publication
NSDI 2011
Conference paper
Towards automated identification of security zone classification in enterprise networks
Abstract
Knowledge of the security zone classification of devices in an enterprise information technology (IT) infrastructure is essential in many enterprise IT transformation and optimization activities. We describe a systematic and semi-automated approach for discovering the security zone classification of devices in an enterprise network. For reduced interference with normal operation of the IT infrastructure, our approach is structured in stages, each consisting of two phases: one phase involves collecting information about actually allowed network flows, followed by an analysis phase. As part of our approach, we describe an elimination-based inference algorithm. We also present an alternative to the algorithm based on the Constraint Satisfaction Problem, and explore trade-offs between the two. Using a case study, we demonstrate the validity of our approach.