We developed and tested our adaptive management architecture against several representative use cases to validate the architecture for a large enterprise network that consists of diverse security enforcement points with varying security capabilities, and to validate the usability of such architecture in highly complex, heterogeneous, multi-device, multi-protocol networks. The following are use cases most relevant to autonomic management:

• Degraded mode of operation. This use case is to demonstrate how a network policy reacts when the network is forced to move into a degraded mode of operation due to unexpected change (e.g., a denial of service attack).
• Dynamic policies with feedback from the network. The purpose of this use case is to demonstrate the ability to present real-time information driving adaptive change in the network configuration to secure against a threat detected by our distributed detection systems.
• Automatic detection, resolution, and verification of policy conflicts. Other related use cases we developed include complex policy enforcement, high-level policy definition and abstraction, domains of constant policies, and visualization.

Figure 6 is a diagram of the lab network used to conduct the use case tests. The lab was set up so as to mirror a large-scale, heterogeneous IT production environment as close as possible. The setup includes typical network security products and technologies such as firewalls, network intrusion detection and prevention systems (NIDS/NIPS), routers, and switches. The network topology for the lab also mirrors a typical enterprise network with different zones (Internet, demilitarized zone , and Intranet). We used a Security Event Management System (SEMS) as the central repository of all network events. SEMS stores event streams from various sources such as IDSs, firewall logs, router logs, etc. in a database and performs a network-level holistic co-relation and aggregation of the events to generate real-time alerts for the entire network versus the per-device approach. These network-wide co-related alerts are used to trigger a policy update via the MOM to the appropriate network control point(s). In our tests, we were able to demonstrate the adaptive feedback concept using these active components. To simulate a network degradation, we injected a stream of abnormal network traffic using (denial-of-service-like) UDP-based malware attacks. The SEMS was able to detect these events, co-relate them, and send the alert to the MOM console. In response to this event, the MOM console automatically created the dynamic policy update as a response to the threat. In this example, the control update was to block the source IP address that was generating the attack traffic; this update was pushed to the network enforcement point closest to the source of the attack. We successfully verified this with multiple scenarios where the attack traffic was blocked automatically.

Figure 6: Lab network
click image for larger view