Static Analysis of Packet Forwarding and Filtering Configurations in Industrial Networks

Securing industrial networked infrastructures has become increasingly important since the growth in their connectivity brought by production digitalization and the diffusion of paradigms such as Industrial Internet of Things (IIoT). Network segmentation is considered best practice to protect these networks from outside/inside cyber-attacks. To this purpose, network devices equipped with forwarding/filtering capabilities need to be suitably configured and deployed for the enforcement of segment-related security policies. Configuration of these devices in today industrial networked infrastructures is typically the result of a mix of manual and automated processes and, given the heterogeneity of devices and configuration languages, as well as of the supported applications and related requirements, it is often hard to make sure of its correctness and impact, e.g., on traffic latency. In this paper, a model is proposed to jointly describe network forwarding and filtering configuration. Techniques are then provided to perform static analyses such as verification of reachability intents and configuration equivalence, as well as the estimation of the latency introduced for handling specific traffic.