Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list.

Abstract: A system and method provides a solution to the problem of applying end-to-end requirements of connectivity, security, reliability and performance to configure a network and ultimately assign network components to the network. All requirements are modeled as constraints and a constraint solver does the resolution. Not every constraint to be solved is solved by the model-finder. Instead, we “factor away” subsets of a constraint that can be efficiently solved via a special-purpose constraint solver, such as an SQL/Prolog engine, linear programming system, or even an algorithm, leaving behind a constraint that truly requires the power of model-finding, and that is often efficiently solvable by existing model-finders. Such constraints are compiled into quantifier-free constraints that are Boolean combinations of constraints of two forms x=y and x=c where x, y are variables and c is a constant. Such constraints can be efficiently solved by modern SAT-based model-finders.

Abstract: Aspects of the invention pertain to integrated compliance analysis of multiple firewalls and access control lists for network segregation and partitioning. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists in different firewalls in different network segments within a given network may overlap or have inconsistent rules. Aspects of the invention generate differences between firewalls, analyze equivalency of firewalls, generate the intersection (if any) between a pair of firewalls, and generate the union (if any) between firewalls. Such information provides an integrated analysis of multiple interrelated firewalls, including inbound and outbound access control lists for such firewalls, and may be used to manage firewall operation within the network to ensure consistent operation and maintain network security.

Abstract: Aspects of the invention pertain to user session management in load balanced clusters. Multiple application servers communicate with a central data server to ensure there is a single session per user ID. The central data server maintains a user session index and a parameter table. Each time a network access is attempted using a given user ID, a load balancer assigns the session to one of the application servers. The assigned application server queries the central data server to determine whether a session status for the user's login ID is inactive or active. If inactive, a new, unique value is assigned as the session number. If active, the session number is evaluated to determine whether multiple sessions exist. In this case, one of the sessions is terminated to ensure a single session per user ID. Preferably, the terminated session is the earlier session.

Abstract: Aspects of the invention pertain to user session management in load balanced clusters. Multiple application servers communicate with a central data server to ensure there is a single session per user ID. The central data server maintains a user session index and a parameter table. Each time a network access is attempted using a given user ID, a load balancer assigns the session to one of the application servers. The assigned application server queries the central data server to determine whether a session status for the user's login ID is inactive or active. If inactive, a new, unique value is assigned as the session number. If active, the session number is evaluated to determine whether multiple sessions exist. In this case, one of the sessions is terminated to ensure a single session per user ID. Preferably, the terminated session is the earlier session.

Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list.

Abstract: Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence.

Abstract: An inventive system and method for versioning relational database disjoint records comprises a relational database, configuration files translated into query files, and a version control system, wherein each query file is stored and checked into the version control system, updating a version number of the query file. Each query file comprises a set of query statements. Query files are retrieved from the version control system based on the version number or an independent data item, and put into the database for analysis. In one embodiment, one of the configuration files comprises a configuration of a device, such as a router, a switch, a firewall, or a medical record. The method comprises acquiring configuration files, changing the configuration files into query files and storing the query files, and checking each query file into a version control system, wherein the checking in updates a version number of the query file.

Abstract: A system and method provides a solution to the problem of applying end-to-end requirements of connectivity, security, reliability and performance to configure a network and ultimately assign network components to the network. All requirements are modeled as constraints and a constraint solver does the resolution Not every constraint to be solved is solved by the model-finder. Instead, we “factor away” subsets of a constraint that can be efficiently solved via a special-purpose constraint solver, such as an SQL/Prolog engine, linear programming system, or even an algorithm, leaving behind a constraint that truly requires the power of model-finding, and that is often efficiently solvable by existing model-finders. Such constraints are compiled into quantifier-free constraints that are Boolean combinations of constraints of two forms x=y and x=c where x, y are variables and c is a constant. Such constraints can be efficiently solved by modern SAT-based model-finders.

Abstract: Customizable software provides assurances about the ability of an IP network to satisfy security, regulatory and availability requirements by comprehensive vulnerability and compliance assessment of IP networks through automated analysis of configurations of devices such as routers, switches, and firewalls. The solution comprises three main approaches for testing of IP device configurations to eliminate errors that result in vulnerabilities or requirements compliance issues. The first two fall in to the “static constraint validation” category since they do not change significantly for each IP network, while the last approach involves incorporation of each specific IP network's policies/requirements. These approaches are complementary, and may be used together to satisfy all the properties described above. The first approach involves checking the configurations of devices for conformance to Best-Current-Practices provided by vendors (e.g.

Abstract: Bandwidth allocated between the traffic classes of a network path is dynamically reallocated when one or more traffic classes have insufficient available bandwidth to support a service request for the traffic classes, wherein the reallocation occurs without modifying the traffic class bandwidth allocations enforced by router mechanisms. A provisioning system maintains an available bandwidth indication for each traffic class, which indications are decremented as a service request is admitted to the path. If a requested traffic class has insufficient available bandwidth to support a request, one or more other traffic classes can loan bandwidth to the requested traffic class by decrementing the available bandwidth indicators for the one or more other traffic classes in the amount of the insufficiency, thereby indicating that less bandwidth is available in these classes for future requests.

Abstract: In packet-drop attacks in ad hoc networks, a malicious network node chooses to selectively drop packets that are supposed to be forwarded, which results in adverse impact on application good-put and network stability. A method and system for detection of packet-drop attacks in ad hoc networks requires network nodes to report statistics on IP flow packets originated, received, or forwarded to neighbors. These statistics are analyzed and correlated to determine nodes suspected of dropping packets.

Abstract: Service attacks, such as denial of service and distributed denial of service attacks, of a customer network are detected and subsequently mitigated by the Internet Service Provider (ISP) that services the customer network. A sensor examines the traffic entering the customer network for attack traffic. When an attack is detected, the sensor notifies an analysis engine within the ISP network to mitigate the attack. The analysis engine configures a filter router to advertise new routing information to the border and edge routers of the ISP network. The new routing information instructs the border and edge routers to reroute attack traffic and non-attack traffic destined for the customer network to the filter router. At the filter router, the attack traffic and non-attack traffic are automatically filtered to remove the attack traffic. The non-attack traffic is passed back onto the ISP network for routing towards the customer network.

Abstract: Bandwidth allocated between the traffic classes of a network path is dynamically reallocated when one or more traffic classes have insufficient available bandwidth to support a service request for the traffic classes, wherein the reallocation occurs without modifying the traffic class bandwidth allocations enforced by router mechanisms. A provisioning system maintains an available bandwidth indication for each traffic class, which indications are decremented as a service request is admitted to the path. If a requested traffic class has insufficient available bandwidth to support a request, one or more other traffic classes can loan bandwidth to the requested traffic class by decrementing the available bandwidth indicators for the one or more other traffic classes in the amount of the insufficiency, thereby indicating that less bandwidth is available in these classes for future requests.