Abstract: A system and method for policy based management for a high security MANET comprises policy managers, each performing policy decision-making and policy enforcement using multiple policies, containers, each related to an application and each container having one policy manager, nodes, each having an infrastructure and at least one container, and dynamic community building blocks associating the containers having a same application, the containers being in different nodes, the associated containers maintained by the dynamic community building blocks on a secure network. Each container can define a security boundary around the node. Each container can be a lightweight virtual machine. The system can also have a special container having a policy manager only evaluating policies for conflicts. In one embodiment, a node can consist of multiple network devices and each network device is a container of its own.

Abstract: A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

Abstract: A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

Abstract: An autonomous management cluster of network elements serves as a distributed configuration repository. Network elements sharing a common pre-determined shared identifier autonomously form themselves as a management cluster. The network elements in the cluster exchange configuration files. In the event of a loss, destruction, or corruption of one of the network element's configuration file, the network element recovers its configuration file from its closest neighbor in its management cluster. The management cluster can also be used to efficiently disseminate configuration changes by simply communicating the changes to one or more elements in the cluster, and allowing the other nodes in the cluster to discover and retrieve their updated configuration files.

Abstract: A system and method for policy based management for a high security MANET comprises policy managers, each performing policy decision-making and policy enforcement using multiple policies, containers, each related to an application and each container having one policy manager, nodes, each having an infrastructure and at least one container, and dynamic community building blocks associating the containers having a same application, the containers being in different nodes, the associated containers maintained by the dynamic community building blocks on a secure network. Each container can define a security boundary around the node. Each container can be a lightweight virtual machine. The system can also have a special container having a policy manager only evaluating policies for conflicts. In one embodiment, a node can consist of multiple network devices and each network device is a container of its own.

Abstract: An inventive system and method for versioning relational database disjoint records comprises a relational database, configuration files translated into query files, and a version control system, wherein each query file is stored and checked into the version control system, updating a version number of the query file. Each query file comprises a set of query statements. Query files are retrieved from the version control system based on the version number or an independent data item, and put into the database for analysis. In one embodiment, one of the configuration files comprises a configuration of a device, such as a router, a switch, a firewall, or a medical record. The method comprises acquiring configuration files, changing the configuration files into query files and storing the query files, and checking each query file into a version control system, wherein the checking in updates a version number of the query file.

Abstract: Customizable software provides assurances about the ability of an IP network to satisfy security, regulatory and availability requirements by comprehensive vulnerability and compliance assessment of IP networks through automated analysis of configurations of devices such as routers, switches, and firewalls. The solution comprises three main approaches for testing of IP device configurations to eliminate errors that result in vulnerabilities or requirements compliance issues. The first two fall in to the “static constraint validation” category since they do not change significantly for each IP network, while the last approach involves incorporation of each specific IP network's policies/requirements. These approaches are complementary, and may be used together to satisfy all the properties described above. The first approach involves checking the configurations of devices for conformance to Best-Current-Practices provided by vendors (e.g.